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IN THE CLAIMS 
Please amend the following claims: 

7. (Amended) A system according to claim 6, designed to prove the authenticity of an 
entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gi . Q, v = 1 . mod n or G ; = Q s v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 
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u 0^1^ :%m *. _ i-p o ,31. 

said public value G s being the square g 2 of a base number g s smaller than the f prime 
factors p„ p 2 , ... p t ; the base number g. being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 s - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pj and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q, and/or the f.m components Q u (Q,, , = Q, mod Pj ) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R. = i*j V mod pj 

where r ; is a random value associated with the prime number such that 0 < r { < p i? each r, 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ...Q m dm modn 

• or 

• • by performing operations of the type: 
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D i = r i .Q i /\Q i /\...Q i , m dm mod Pi 

• • and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device 
through the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after receiving all 
or part of each commitment R, of the challenges d equal in number to the number of 
commitments R, 

the controller device also has transmission means, hereinafter known as the transmission means 
of the controller, to transmit the challenges d to the demonstrator through the connection means. 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q n Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 

greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 
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Gj. Qj v = 1 . mod n or G s = Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g, 2 of a base number g ; smaller than the f prime 
factors p„ p 2 , ... p, ; the base number g ; being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - g; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q t and/or the f.m components Q u (Q i; j ^ mod Pj) of the private 
values Q; and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r< n, 
* or 

• • by performing operations of the type: 

Ri = rj v mod P; 

where is a random value associated with the prime number p, such that 0 < r, < p i9 each v { 
belonging to a collection of random values {r, , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 
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• either by performing operations of the type: 

D = r • Qi dl • Qz d2 - — Q m dm mod n 

• or 

• • by performing operations of the type: 

D i = r i .Q i)1 dl .Q u d2 ....Q i>m ' ,m mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises: 

- computation means, hereinafter called the computation means of the controller device, 

- comparison means, hereinafter called the comparison means of the controller device, 
case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each commitment R, the 
computation means of the controller device, having m public values Gj, G 2? G m , compute a 
reconstructed commitment R\ from each challenge d and each response D, this reconstructed 
commitment R f satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = D y /Gi dl . G 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed commitment R* with 
all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment R 

if the transmission means of the demonstrator have transmitted the totality of each commitment 
R, the computation means and the comparison means of the controller device, having m public 
values Gj, G2, G m , ascertain that each commitment R satisfies a relationship of the type 

R = G t dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 
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R = D v /Gx dl . G 2 d2 . ... G m dm . mod n 

8. (Amended) System according to claim 6, designed to give proof to an entity, known as 
a controller, of the integrity of a message M associated with an entity known as a demonstrator, 
said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 

greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G;. Qj V = 1 . mod n or G ; = Q ; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 
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said public value G t being the square & 2 of a base number & smaller than the f prime 
factors p 15 p 2 , ... p, ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = & mod n and x 2 s - g s mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Q u (Q u = Q ; mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri == i\ v mod 

where r; is a random value associated with the prime number p ; such that 0 < r s < p„ each ^ 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• * then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D s r . Q, d1 . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 
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D i ,r i .Q i / , .Q i / 2 ....Q im dm modp i 

• • and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified in claim 1, 

where as the witness device has transmission means, hereinafter called transmission means of the 
witness device, to transmit all or part of each commitment R to the demonstrator device through 
the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T through the connection means to the 
controller device, 

the controller device also has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of commitments R, 
the controller device also has transmission means, hereinafter called the transmission means of 
the controller, to transmit the challenges d to the demonstrator through the connection means; 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G in , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product off prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 
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said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qj V = 1 . mod n or G, = mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square g ; 2 of a base number g; smaller than the f prime 
factors p„ p 2 , ... p t ; the base number g; being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - g, mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g; 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qi and/or the f.m components 1 (Q h j = Qj mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

R 4 = i*i V mod Pj 

where r t is a random value associated with the prime number p ; such that 0 < r ( < p i? each ^ 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d, 
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hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, U1 . Q 2 d \ ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D iS r I .Q I , 1 d, .Q lt2 d2 ....Q i , m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R ? d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1 , 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises computation means, hereinafter called the computation 
means of the controller device, having m public values Gj, G2, G m , to firstly compute a 
reconstructed commitment R f , from each challenge d and each response D, this reconstructed 
commitment R' satisfying a relationship of the type 

R f s G! dl . G 2 d2 . G m dm . DV mod n 
or a relationship of the type 

R' = D v /Gi dl . G 2 d2 . » G m dm . mod n 
then, secondly, compute a token T f by applying the hashing function h having as arguments the 
message M and all or part of each reconstructed commitment R f , 

the controller device also has comparison means, hereinafter known as the comparison means of 
the controller device, to compare the computed token T f with the received token T. 

9. (Amended) System according to claim 6, designed to produce the digital signature of a 
message M, hereinafter known as the signed message, by an entity called a signing entity; 
the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 
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- the responses D; 
Signing operation 

said system being such that it comprises a signing device associated with the signing entity, said 
signing device being interconnected with the witness device by interconnection means and 
possibly taking the form especially of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank card, 
said system enabling the execution of the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 15 p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G ; . Qi V == 1 . mod norGj = Qj V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square g; 2 of a base number gj smaller than the f prime 
factors p 1? p 2 > ••• Pf ; the base number g. being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - g f mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 
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said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Q t j (Q if j = Q; mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = i*i V mod Pi 

where r t is a random value associated with the prime number p s such that 0 < r ; < p i5 each ^ 
belonging to a collection of random values {r, , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 M . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i ^r i .Q M t,, .Q i / 2 ....Q ijm dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 
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• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f? f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Q ( v = 1 . mod n or G ; = Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value Gj being the square & 2 of a base number g ; smaller than the f prime 
factors p„ p 2 , Pr ; * e base number g; being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - g ( mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 
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said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Q i? j (Q s> j = Q t mod Pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = r s v mod p 4 

where r { is a random value associated with the prime number pj such that 0 < r, < p i? each i\ 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D - r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i -r i .Q u d, .Q i / 2 ....Q, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device through the 
interconnection means. 
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12. (Amended) A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device also comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications network, to 
the controller device associated with the controller entity, said controller device especially taking 
the form of a terminal or remote server; 

said terminal device enabling the execution of the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q 19 Q 2 , ... Q m and public values G 15 G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p n p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj. Qj v = 1 . mod n or G; = Q; v mod n; 

v designating a public exponent such that 

v-2 k 

where k is a security parameter greater than 1 , 

said public value G t being the square g ; 2 of a base number g t smaller than the f prime 
factors p„ p 2 , ... p f ; the base number & being such that the following two conditions are met: 
neither of the two equations: 
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x 2 = gj mod n and x 2 ^ - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Q u (Q u = Q t mod pj) of the private 
values Q.and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R.-ifmod 

where r ; is a random value associated with the prime number p; such that 0 < r, < Pi , each r, 
belonging to a collection of random values {r t , r 2 , ... rj, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 

a response D, 

• either by performing operations of the type: 

D - r . Qj dl .Q 2 d2 ....Q m dm modn 

• or 

• • by performing operations of the type: 

D; = T; . Q M dl . Q i>2 d2 . Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 
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said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

where as the witness device has transmission means, hereinafter called the transmission means of 
the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device, 
through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device and 
the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q l9 Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G ; . Qi v = 1 . mod n or G; = Q ; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G; being the square g; 2 of a base number g s smaller than the f prime 
factors p t , p 2 , ... p f ; the base number g, being such that the following two conditions are met: 
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neither of the two equations: 

x 2 = gj mod n and x 2 = - g s mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
p ; and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q, and/or the f.m components Q u (Q, } = Qi mod Pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r< n, 

• or 

• • by performing operations of the type: 

Ri =s i-j V mod Pi 

where r ; is a random value associated with the prime number p ; such that 0 < r, < p i? each r ; 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ...Q m dm modn 

• or 

• • by performing operations of the type: 

D i -r i .Q M dl .Q i , 2 d2 .».Q im dm mod Pi 

• • and then by applying the Chinese remainder method; 
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said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller that carries 
out the check. 

13. (Amended) Terminal device according to claim 11, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an entity known as 
a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 

said terminal device being used to execute the following steps: 

• Step 1 : act of commitment R 

at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G 15 G 2 , ... G m , m 
being greater than or equal to 1 L or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 
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G f . Q; v = 1 . mod n or G; = Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square g 2 of a base number g s smaller than the f prime 
factors p n p 2 , ... p f ; the base number g. being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - g; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod ii 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q t and/or the f.m components Q u (Q ul = Q t mod p.) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

R^r^mod p ; 

where r ; is a random value associated with the prime number p f such that 0 < r t < p i9 each r. 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 



21 



• either by performing operations of the type: 

D = r.Q, d, .Q 2 d2 . ...Q m Um modn 

• or 

• • by performing operations of the type: 

Dg = n . Q M dl . Q i)2 d2 . Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1; 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T, through the connection means, to the 
controller device, 

said controller, after having received the token T, produces challenges d equal in number to the 
number of commitments R, 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device and 
the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q n Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
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being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G; . Qj v = 1 . mod n or G ; = Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square gi 2 of a base number g. smaller than the f prime 
factors p 15 p 2 , ... p f ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - & mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q, and/or the f.m components Q ui (Q u = C^mod pj) of the private 
values Q : and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

Rj = mod 

where r ; is a random value associated with the prime number Pi such that 0 < r t < p i? each r, 
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belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d s 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dI . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i -r i .Q i / , .Q i2 d2 ....Q im dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1 , 

• Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller device which 
performs the check. 

14. (Amended) Terminal device according to claim 11, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by interconnection 
means and possibly taking especially the form of logic microcircuits in a nomad object, for 
example the form of a microprocessor in a microprocessor-based bank card, 
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said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 
Signing operation 

said terminal device being used to execute the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 1? p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G s . Q; v = 1 . mod norG^ Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g ; 2 of a base number gj smaller than the f prime 
factors p„ p 2 , ... p f ; the base number g,- being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g ; mod n and x 2 = - g f mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g,- 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
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Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q, and/or the f.m components Q i} j (Q u = Q, mod Pj ) of the private 
values Q ; and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 

commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R. = r; v mod Pi 

where r, is a random value associated with the prime number p s such that 0 < r ; < p i? each r, 
belonging to a collection of random values {r, , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 

a response D, 

• either by performing operations of the type: 

D^r.Q 1 dl .Q 2 dZ . .-Q m dm modn 



1 or 



• • by performing operations of the type: 

D i -r i .Q M d, .Q i / 2 ..»Q, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1, 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the signing device through 
the interconnection means, 

• Step 2: act of challenge d 
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the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary tram, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q n Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p„ f being 

greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj. Qi v = 1 . mod norGi- Q^mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G } being the square g ; 2 of a base number & smaller than the f prime 
factors p„ p 2 , ... p f ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gi 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
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Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f,m components (Q u = Q ; mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Rj = r; v mod p ; 

where r, is a random value associated with the prime number P; such that 0 < r, < p i? each r s 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d, 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 

a response D, 

• either by performing operations of the type: 

D = r . Q, d1 . Q 2 d2 . ... Q m dm modn 

• or 

• • by performing operations of the type: 

D iSri . Qj,, Jl . Q i2 d2 . Qi, m Um mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} process 
specified according to claim 1 , 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, through the 
interconnection means. 
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REMARKS 

The above preliminary amendment is made to remove multiple dependencies from 
claims 7, 8, 9, 12, 13 and 14. 

A new abstract page is supplied to conform to that appearing on the publication 
page of the WIPO application, but the new Abstract is typed on a separate page as required by 
U.S. practice. 

Applicants respectfully request that the preliminary amendment described herein 
be entered into the record prior to calculation of the filing fee and prior to examination and 
consideration of the above-identified application. 

If a telephone conference would be helpful in resolving any issues concerning this 
communication, please contact Applicants' primary attorney-of record, John J. Gresens (Reg. No. 
33,112), at (612) 371.5265. 



Respectfully submitted, 



MERCHANT & GOULD P.C. 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(612) 332-5300 



Dated: July 24, 2001 




JJG/tvm 



29 



ABSTRACT 



Title: METHOD FOR PROVING THE AUTHENTICITY OR INTEGRITY OF A MESSAGE 
BY MEANS OF A PUBLIC EXPONENT EQUAL TO THE POWER OF TWO 

Proof is established by means of the following parameters: m pairs of private values Q, 
and public values G, m>l, a public module n made of the product off first factors p JS f>2, a 
public exponent v, linked to each other by relations of the type: G,.Qi v = 1 mod n or G, =Qi V mod 
n. Said exponent v is such that v=2 k where k>l is a security parameter. Public value G, is the 
square g 2 of a base number & that is lower than f first factors p J; so that the two equations: x2=gi 
mod n and x 2 = -g, mod n do not have a solution in x in the ring of the modulo n integers and such 
that the equation x v =& 2 mod n has solutions in x in the ring of the modulus n integers. 
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7. (Amended) A system according to claim 6, designed to prove the authenticity of an 
entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a con troller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q u Oi, ... Qm and public values G u G 2 , G m? m 
being greater than or equal to 1 L or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gi_. Q; v = 1 . mod n or G , = Qj V mod n; 

v designating a public exponent such that 

v = 2 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g i 2 of a base number & smaller than the f prime 
fWj^iiJiiU??^-- P f i the base number gj being such that the followin g two conditions are met: 
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neither of the two equations: 

x 2 == mod n and x 2 = - g j modn 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness ha ving f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/o r the public modulus n 
and/or the m private values Qj and/or the f.m components Q L j (Q a . ; ^ _Qi modj^j) of the private 
values Q j and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 

commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

* or 

• * by performing operations of the type: 

Ri =s r ; v mod p s 

where r ; is a random value associated with the prime number p t such that 0 < r L <j£ [2 _eachri 
belonging to a collection of random values {n , r 2 j_^JgfL 

* • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each chal lenge d, computes 
a response D, 

* either by performing operations of the type: 

D^Q 1 dl . Q 2 d2 . ... Q m dm mod n 

* or 

* • by performing operations of the type: 

Di^l^ld-^^A^QL m "'" mod P i 

♦ • and then by applying the Chinese remainder method; 



said method being such that there are as many responses D a s there are challenges d as there are 
commitments R. each group of numbers R. d. D forming a trip let referenced {R, d, Dl [process 
specified according to claim 1], 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device 
through the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after receiving 
all or part of each commitment R, of the challenges d equal in number to the number of 
commitments R, 

the controller device also has transmission means, hereinafter known as the transmission means 
of the controller, to transmit the challenges d to the demonstrator through the connection means. 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q i, Q 2? ^_Qm and public values G,, G 2; „ . Cj m , in 
being greater than or equal to 1 L or of the parameters derived from these va lues, 

- a public modulus n constituted by the product off prime factors Pi, p 2 , ••• P f , f being 

greater than or equal to 2; 

said modulus, said exponent and said values being relate d bv relations of the following 

t ype 

G j . O i V - 1 . mod n or G ; - Q . v mod n; 

v designating a public exponent such that 



o ^i'B S3 iL s y> i a „i :i, £; in li 



v = 2 

where k is a security parameter greater than 1; 

said public value G ; being the square g 2 of a base number g t smaller t han the f prime 
factors pu p 2 . ... p_ f ; the base number g= being such that the following two co nditions are met: 
neither of the two equations: 

x 2 = gi mod n and x 2 = - g j mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness havi ng f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Qi. 8 (Qi, j^ Qi mod^j) of the private 
values Q i and of the public exponent v; 

- the witness computes commitments R in the ring of the in tegers modulo n; each 

commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
* or 

• • by performing operations of the type: 

Ri ~ r; v mod p, 

where n is a random value associated with the prime number p, such that 0 < r } <j la _gachj5 
belonging to a collection of random values {r t , r2_j_^ J L _rfL 

• » then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challen ge d, computes 

a response D, 

* either by performing operations of the type: 

D£L,Oi dl . C h d2 « ... On, dm mod D 



« or 

* * by performing operations of the type: 

* • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D a s there are challenges d as there are 
commitments R. each group of numbers R, d, D forming a triplet referenced {R , d, D} [process 
specified according to claim 1], 

• Step 4: act of checking 
the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises: 

- computation means, hereinafter called the computation means of the controller device, 

- comparison means, hereinafter called the comparison means of the controller device, 
case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each commitment R, the 
computation means of the controller device, having m public values Gj, G 2 , G m , compute a 
reconstructed commitment R', from each challenge d and each response D, this reconstructed 
commitment R 1 satisfying a relationship of the type 

R » = d dl . G 2 d2 . »• G m dm . DV mod n 
or a relationship of the type 

R' ^ D v /Gj dl . G 2 d2 . .» G m dm . mod n 
the comparison means of the controller device compare each reconstructed commitment R f with 
all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment R 

if the transmission means of the demonstrator have transmitted the totality of each commitment 
R, the computation means and the comparison means of the controller device, having m public 
values Gi, G 2 , G m , ascertain that each commitment R satisfies a relationship of the type 

R = Gi dl . G 2 d2 • G m dm . D v mod n 
or a relationship of the type 

R = D v /Gi dl . G 2 d2 . ... G m dm . mod n 



8. (Amended) System according to claim 6, designed to give proof to an entity, known as 
a controller, of the integrity of a message M associated with an entity known as a demonstrator, 
said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q i, Q 2 , ... Q m and public values G t , G 2 , ... G m? m 
being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p i, p 2 , ... p_f, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G^ . Qi v 5= 1 . mod n or G , = Q t v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g j 2 of a base number g j smaller than the f prime 
factors p 1% p?, ... P f : the base number g j being such that the following two conditions are met: 
neither of the two eq uations: 
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x 2 = g j mod n and x 2 = ■ g ; mod n 

can be resolved in x in the ring of integers modulo a 
the equation: 

x v = g ; 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi^ and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q , and/or the f.m components Q l } (Q -^j = CMnod P j ) of the private 
values Q i and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

♦ either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
» or 

* • by performing operations of the type: 

Ri = r , v mod Pi 

where r ; is a random value associated with the prime number P i such that 0 < r L < p ; , each r ; 
belonging to a collection of random values {r \ , rg , rj-}, 

* * then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d, 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q x dl . Q 2 d2 - ... Q m dm mod n 



or 



by performing operations of the type: 

Pi ^ r t . Q M dl . O i. 2 d2 . ... Q ,. m dm mod Pi 
and then by applying the Chinese remainder method; 



said method being such that there are as many responses D as there are challenges d as there are 
commitments R. each group of numbers R. d. D forming a trip let referenced {R, d, D} [process 
specified in claim 1], 

where as the witness device has transmission means, hereinafter called transmission means of the 
witness device, to transmit all or part of each commitment R to the demonstrator device through 
the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T through the connection means to the 
controller device, 

the controller device also has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of commitments R, 
the controller device also has transmission means, hereinafter called the transmission means of 
the controller, to transmit the challenges d to the demonstrator through the connection means; 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller ent ity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q,„ an d public values Gi 3 _G ls _ z ^_G„ 1 ,_m 
being greater than or equal to 1 L or of the parameters de rived from these values, 

- a public modulus n constituted by the product of f prime factors p t , p 2 , . . ^_B fj J_being 

greater than or equal to 2; 

said modulus, said exponent and said values being relate d by relations of the following 

type 



Gj . Q j V = 1 . mod n or G j = Q , v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G \ being the square g j 2 of a base number g j smaller than the f prime 
factors pu P g , ... Pf ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g j mod n and x 2 = - g j mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q j and/or the f-m components Q jj (Q i^j = Q ^mod Pj) of the private 
values Q ^ and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

» either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
* or 

* * by performing operations of the type: 

Ri = r; v mod p , 

where r , is a random value associated with the prime number p ; such that 0 < r ^< p; , each rj 
belonging to a collection of random values {n , r 2 ^ ... r f |, 

* * then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d, 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 
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* either by performing operations of the type: 

D = r . Q i dl . Q 2 d2 . ... Q n , dm mod n 

* or 

* * by performing operations of the type: 

Pi ^ n . Qi, dl . 0 , 2 d2 . ... O i. m dm mod Pi 

* * and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced (R, d, D } [process 
specified according to claim 1], 

* Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises computation means, hereinafter called the computation 
means of the controller device, having m public values Gj, G2, G m , to firstly compute a 
reconstructed commitment R', from each challenge d and each response D, this reconstructed 
commitment R r satisfying a relationship of the type 

R' s Gj dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = D v /G! dl . G 2 d2 . ... G m dm . mod n 
then, secondly, compute a token T 1 by applying the hashing function h having as arguments the 
message M and all or part of each reconstructed commitment R*, 

the controller device also has comparison means, hereinafter known as the comparison means of 
the controller device, to compare the computed token T* with the received token T. 

9. (Amended) System according to claim 6, designed to produce the digital signature of a 
message M, hereinafter known as the signed message, by an entity called a signing entity; 
the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Signing operation 
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said system being such that it comprises a signing device associated with the signing entity, said 
signing device being interconnected with the witness device by interconnection means and 
possibly taking the form especially of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank card, 
said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controlle r entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

bv means of all or part of the private values Q f , Qi^^ Qm and public values Gi^Gz^^Gm^JS 
being greater than or equal to 1 L or of the parameters deriv ed from these values, 

- a public modulus n constituted by the product of f prime factors p i, p 2 , .^_PfJLbemg 

greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G L . Q i v = 1 . mod norG j = Qj V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g . 2 of a base number & smaller than the f prime 
fVt^^ P f the base number g. being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g ; 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness hav i n g f prime factors 
P ; and/or parameters of the Chinese remainders of the prime factors and/or the public mod ulus n 
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and/or the m private values Q i and/or the f.m components <X ; (Qu i^ Qi mod p;) of the private 
values Q ^ and of the public exponent v; 

- the witness computes commitments R in the -ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
■ or 

* * by performing operations of the type: 

Ri = t V mod P i 

where n is a random value associated with the prime number p t such tha t 0 < r L <_Ei^gachjj 
belonging to a collection of random values {r x , r 2 ^^ fh 

* « then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d { 
hereinafter called elementary challenges: the witness, o n the basis of each challenge d, computes 

a response D, 

• either by performing operations of the type: 

• or 

* * by performing operations of the type: 

Di^l^U-^i^^^i^ dm mod P i 

* • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are ch allenges d as there are 
commitments R. each group of numbers R. d. D forming a triplet r efe renced {R, d, D } [process 
specified according to claim 1], 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 
•Step 2: act of challenge d 
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the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to pro ve to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q u Q2 , .-^Qm and public values G i^G 2 ^ G^^m 
being greater than or equal to 1 L or of the parameters deriv ed from these values, 

- a public modulus n constituted by the product of f prime factors p t , P2^^_P^l_bging 

greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G L . Oi v = 1 . mod n or G j = Q j V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g = 2 nf * base number gi smaller than the f p r ime 
to^,^... p f : the base number g ; being such that the following two c onditions are met: 
neither of the two equations: 

y 2 = mod 11 and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 




p ; and/or parameters of the Chinese remainders of the prime factors and/or the p ublic modulus n 
and/or the m private values Q i and/or the f.m components Q { . ; (Q u mod p;) of the private 

values Q j and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; ea ch 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < 



• or 

• • by performing operations of the type: 

Ri = ri v mod P i 

whgre r. is a random value associated with the prime number p t such that 0 < r; <jE b _gachrj 
belonging to a collection of random values {v\ , r 2 3 _^T fL 

• * then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

* either by performing operations of the type: 



or 



» * by performing operations of the type: 

D^^Qm dl . d2 . ... Q L m dm mod Pi 

• • and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there ar e chall enges d as there are 
commitments R. each group of numbers R. d, D forming a triplet referenced {R , d 7 D} [process 
specified according to claim 1], 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device through the 
interconnection means. 



12. (Amended) A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device also comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications network, to 
the controller device associated with the controller entity, said controller device especially taking 
the form of a terminal or remote server; 

said terminal device enabling the execution of the following steps: 

* Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q i, Qg , ... Q m and public values G i , Gj, ... G im m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors P i , p g , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G ^. Q j V = 1 . mod n or G j = Q j V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square g j 2 of a base number 2 ; smaller than the f prime 
factors p i, p i , ... p f ; the base number g j being such that the following two conditions are met: 
neither of the two equations: 
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can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g ; 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi^ and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q j and/or the f.m components Q ; t j (Q lj = Q ^mod Pj ) of the private 
values Q j and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R s= r v mod n 
where r is a random value such that 0 < r < n, 
• or 

* * by performing operations of the type: 

Ri = r , v mod p ; 

where r ; is a random value associated with the prime number p , such that 0 < r^< p , , each 
belonging to a collection of random values {n , r g , ... r f |, 

* • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

* either by performing operations of the type: 

DsEr.Q i dl .Q 2 d2 . ...Q m dm modn 

• or 

9 9 by performing operations of the type: 

Pi = r ; . Qu dl . Q i, 2 d2 . ... 0 ,. m dm mod Pi 

* * and then by applying the Chinese remainder method; 



said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D } [process 
specified according to claim 1], 

where as the witness device has transmission means, hereinafter called the transmission means of 
the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device, 
through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device 
and the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q i , Q g , ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p i, Pj, ... P f, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj_. Oi V = 1 . mod n or G , = Q ; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G i being the square g i 2 of a base number g i smaller than the f prime 
factors p u Pj i Pf ; the base number g ; being such that the following two conditions are met: 



neither of the two equations: 

x 2 = g , mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
p^and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q \ and/or the f.m components Q kj (Q i^j = Q ^ mod P j ) of the private 
values Q j^ and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
* or 

■ • by performing operations of the type: 

Ri = r , v mod Pj 

where r i is a random value associated with the prime number p , such that 0 < r^< p , , each r\ 
belonging to a collection of random values {n ■> i" 2 , ... r f}, 

* • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

♦ either by performing operations of the type: 

D = r . Q i dl . Q 2 d2 . ... Q m d '" mod n 

* or 

"by performing operations of the type: 

D; = fj * Oi.i dl . Q . T 2 d2 . ... O lh , dm mod Pi 

* » and then by applying the Chinese remainder method; 



said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D } [process 
specified according to claim 1], 

♦ Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller that 
carries out the check. 

13. (Amended) Terminal device according to claim 11, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an entity known as 
a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 

said terminal device being used to execute the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q i , Q2, ... Q m and public values G i , G g , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p i, P2, ... P f, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 



o q a o -91 e 3 ., % k3i :i en /i. 

G^ . Q\ = 1 . mod n or G j = 0 ; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G i being the square g ; 2 of a base number g j smaller than the f prime 
factors ... p f ; the base number g j being such that the following two conditions are met: 

neither of the two equations: 

x 2 = g j mod n and x 2 == - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q t and/or the f.m components Q lj (Q kj - Qt mod Pj) of the private 
values Q L and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
* or 

« * by performing operations of the type: 

Ri = i* j V mod pi 

where n is a random value associated with the prime number p ; such that 0 < r L < p,, each r { 
belonging to a collection of random values {r t , r 2 , ... r f } ? 

* * then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 
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* either by performing operations of the type: 

DjELL^Qi dl . Or d2 . ... Q m dm mod n 

« or 

♦ • by performing operations of the type: 

Dj s ri . dl . Q i 2 d \ ... Q i m "'" mgd jg, 

♦ ♦ and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are ch allenges d as there are 
commitments R. each group of numbers R. d. D form ing a triplet referenced {R, d, D} [process 
specified according to claim 1]; 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T, through the connection means, to 
the controller device, 

said controller, after having received the token T, produces challenges d equal in number to the 
number of commitments R, 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device 
and the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity , 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q u Qz , -^_Qm and public values C; l; C 2 , .-^Gm^m 
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being greater than or equal to 1 L or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p u p 2 , ... P f, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G L . Qj v = 1 ■ mod n or G ; = Qj V mod n; 

v designating a public exponent such that 

v = 2 

where k is a security parameter greater than 1; 

said public value G , being the square g i 2 of a base number g . smaller than the f prime 
factors p i, pj, ... p f : the base number g i being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g| mod n and x 2 = - g , mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Qj, 8 (Q 8 . , =_Qi modjPj) of the private 
values Q j and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
* or 

» * by performing operations of the type: 

R, = mod Pi 

where r ; is a random value associated with the prime number P t such that 0 < r, < p i? each r; 




belonging to a collection of random values , , ■■■ r f |, 

* • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

* either by performing operations of the type: 

D = r.Q i d1 .Q 2 d2 ....Q m dm modn 

* or 

"by performing operations of the type: 

Pi ^ r, . Qu dl . Q i, 2 d2 . ... Qum dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced (R, d, D } [process 
specified according to claim 1], 

* Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller device which 
performs the check. 

14. (Amended) Terminal device according to claim 11, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by interconnection 
means and possibly taking especially the form of logic microcircuits in a nomad object, for 
example the form of a microprocessor in a microprocessor-based bank card, 
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said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 
Signing operation 

said terminal device being used to execute the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q u Q2, ... Q m and public values G i, G2, ... G„„ m 
being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p i , P2, * . ■ P f, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type_ 

G L . Q, v = 1 . mod nor Gj = Q{ mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G i being the square g ; 2 of a base number g ; smaller than the f prime 
factors p i, pj- ... P f : the base number g; being such that the following two conditions are met: 
neither of the two equations: 

x 2 ~ g j mod n and x 2 = - g j mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 




p^ and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and7or the m private values Q, and/or the f.m components Q ,.j (O ij = Qi^ mod Pj ) of the private 
values Qj ^ and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
* or 

* * by performing operations of the type: 

Ri = r j V mo d pi 

where r \ is a random value associated with the prime number p , such that Q < r ^ < p ,- , each r ; 
belonging to a collection of random values {r i , i g , ... r f >, 

• * then by applying the Chinese remainder method; 

- the witness receives one or more chall enges d, each challenge d c omprising m integers d, 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

* either by performing operations of the type: 

D = r . Q i dl . Q 2 d2 . ... Q m d m mod n 

* or 

• * by performing operations of the type: 

Pi s r, . Qu dl ■ Qi.2 d2 - ... Oi T m dm mod pj 

* * and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D | [process 
specified according to claim 1], 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the signing device through 
the interconnection means, 

* Step 2: act of challenge d 



the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q i , Q j , ... Q m and public values Gj, G 2 , ... G m , m 
being greater than or equal to 1 L or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p i, pg, ... P f, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G L . Of = 1 . mod n or Gj = Q, v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G j being the square gj 2 of a base number g j smaller than the f prime 
factors P i, pi, ... P f ; the base number g ; being such that the following two conditions are met: 
neither of the two equations: 

x 2 s g j mod n and x 2 = - g , mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g j 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 




Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q ; and/or the f.m components Q jj (Q jj = Q L mod Pj) of the private 
values Q j^ and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

» either by performing operations of the type; 

R = r v mod n 
where r is a random value such that 0 < r < n, 
» or 

• • by performing operations of the type: 

R, = rj V mod p, 

where r , is a random Value associated with the prime number p -, such that 0 < r ^< p. , each r, 
belonging to a collection of random values {ri , ri , rf), 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q t dl . Oi d2 - ... O m dm mod n 

• or 

"by performing operations of the type: 

Pi 55 n • Obi dl - Ok2 O i-m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R„ each group of numbers R, d, D forming a triplet referenced {R, d, D } [process 
specified according to claim 1], 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, through the 
interconnection means. 
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SUPPLEMENTAL PRELIMINARY AMENDMENT 

Box PCT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

Dear Sir: 

In connection with the above-identified application, please enter the following 
preliminary amendment, which is subsequent to the initial preliminary amendment filed on July 
24, 2001, based on the Article 34 amendments, based on claims amended in prosecution of the 
international application and published in the International Preliminary Examination Report 
(marked-up copy attached): 

IN THE SPECIFICATION 
A courtesy copy of the present specification was filed with the application on July 
24, 2001. However, the World Intellectual Property Office (WIPO) copy should be relied upon 
if it is already in the U.S. Patent Office. 



IN THE CLAIMS 

Please insert the following language to the last page of the TEXT AS AMENDED 
section that was filed with the above-identified application on July 24, 2001. However, please 
note that the following language was included in the courtesy copy of the TEXT AS FILED 
section filed on July 24, 2001 : 

case where the demonstrator has transmitted the totality of each commitment R 

if the transmission means of the demonstrator have received the totality of each commitment R, 
the computation means and the comparison means of the controller device, having m public 
values Gj, G2, G m , ascertain that each commitment R satisfies a relationship of the type 

R = Gi dl . G 2 d2 . » G m dm . D v mod n 
or a relationship of the type 

R ss D v /G! dl . G 2 d2 . ... G m d ™ . mod n 
17. Controller device according to claim 15, designed to give proof to an entity, known 
as a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 

said controller device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, to a 
demonstrator device associated with the demonstrator entity, 
said system enabling the execution of the following steps: 

• Steps 1 and 2; act of commitment R, act of challenge d 
said controller device also has means for the reception of tokens T coming from the demonstrator 
device through the connection means, 

the controller device has challenge production means for the. production, after having received 
the token T, of the challenges d in a number equal to the number of commitments R, each 
challenge d comprising m integers d\, herein after called elementary challenges, 
the controller device also has transmission means, hereinafter called the transmission means of 
the controller, to transmit the challenges d to the demonstrator through the connection means; 
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• Steps 3 and 4: act of response D, act of checking 

the controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator device, 
through the connection means, 

- computation means, hereinafter called the computation means of the controller device, 
having m public values G\ 9 G2, G m , to firstly compute a reconstructed commitment R ? , from 
each challenge d and each response D, this reconstructed commitment R f satisfying a 
relationship of the type 

R' = Gj d * . G 2 d2 . G m dm . DV mod n 

or a relationship of the type 

R' = D v /G! dl . G 2 d2 . G m dm . mod n 

then, secondly, compute a token T f by applying the hashing function h having as arguments the 
message M and all or part of each reconstructed commitment R\ 
the controller device also comprises: 

- comparison means, hereinafter called the comparison means of the controller device, to 
compare the computed token T f with the received token T. 

18. Controller device according to claim 15, designed to prove the authenticity of the 
message M by checking a signed message by means of an entity called a controller; 
the signed message, sent by a signing device associated with a signing entity having a hashing 
function h (message, R), comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Checking operation 

said controller device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, to a signing 
device associated with the signing entity, 

said controller device having received the signed message from the signed device, through the 

connection means, 

the controller device comprises: 
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- computation means, hereinafter called the computation means of the controller device, 

- comparison means, hereinafter called the comparison means of the controller device; 

• case where the controller device has commitments R, challenges d, responses D 
if the controller has commitments R, challenges d, responses D, 

• • the computation and comparison means of the controller device ascertain that the 
commitments R, the challenges d and the responses D satisfy relationships of the type 

R s Gi dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R = D v /Gi dl . G 2 d2 . ... G m dm . mod n 

• • the computation and comparison means of the controller device ascertain that the 
message M, the challenges d and the commitments R satisfy the hashing function 

d = h (message, R) 

• case where the controller device has challenges d and responses D 
if the controller device has challenges d and responses D, 

• • the computation means of the controller, on the basis of each challenge d and each 
response D, compute commitments R 9 satisfying relationships of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R' s D v /Gj d l . G 2 d2 . - G m dm . mod n 

• • the computation and comparison means of the controller device ascertain that the 
message M and the challenges d satisfy the hashing function: 

d = h (message, R 5 ) 

• case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function and 
compute d' such that 

d ! = h (message, R) 

• • the computation and comparison means of the controller device ascertain that the 
commitments R, the challenges d' and the responses D satisfy relationships of the type 

R = Gi d?1 . G 2 d ' 2 . ... G m d ' m . DV mod n 
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or relationships of the type: 

R = D v /Gj d f l m G2 d'2 . _ Gjn d'm . mod n 

Please amend the following claims: 

7. (Twice Amended) A system according to claim 6, designed to prove the authenticity of 
an entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

* Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q 19 Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qj V = 1 . mod n or G ; = Q { v mod n; 

v designating a public exponent such that 



5 



where k is a security parameter greater than 1 ; 

said public value Gj being the square g^ of a base number gj smaller than the f prime 
factors p„ p 2 , ... p f ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - g. mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

\ v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pj and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q f and/or the f.m components Q s • (Q u ^ = Qj mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R^ if mod Pi 

where rj is a random value associated with the prime number p; such that 0 < i*j < p i3 each r { 
belonging to a collection of random values {i^ , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q 1 dl . Q 2 A \ ... Q m dm mod n 
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• or 

• • by performing operations of the type: 

D i -r i .Q M dl .Q i / 2 ...-Q im dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device 
through the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after receiving all 
or part of each commitment R, of the challenges d equal in number to the number of 
commitments R, 

the controller device also has transmission means, hereinafter known as the transmission means 
of the controller, to transmit the challenges d to the demonstrator through the connection means. 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q 15 Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 
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type 

G f . Qj V = 1 . mod nor Qj V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value Gj being the square g s 2 of a base number g; smaller than the f prime 
factors p„ p 2 , ... p f ; the base number g t being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g s mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v ~ g 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Q { • (Q^ = Qj mod p^ of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

R j = i*i V mod pj 

where r, is a random value associated with the prime number pj such that 0 < r s < p i5 each r, 
belonging to a collection of random values {i^ , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 



8 



O M S B «3 *J ,1 IB „, .1 H 5 :l B £J :ii 



a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D s s r s . Q M dl . Q, 2 d2 . ... Q I(M dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises: 

- computation means, hereinafter called the computation means of the controller device, 

- comparison means, hereinafter called the comparison means of the controller device, 
case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each commitment R, the 
computation means of the controller device, having m public values Gj, G 2 , G m , compute a 
reconstructed commitment R\ from each challenge d and each response D, this reconstructed 
commitment R 1 satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ♦» G m dm . D v mod n 
or a relationship of the type 

R f ss D v /G! dl . G 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed commitment R T with 
all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment R 

if the transmission means of the demonstrator have transmitted the totality of each commitment 
R, the computation means and the comparison means of the controller device, having m public 
values Gj, G 2 , G m , ascertain that each commitment R satisfies a relationship of the type 

R= Gx dl . G 2 62 . .» G m dm . D v mod n 
or a relationship of the type 
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R = DV/d dl . G 2 d2 . ». G m dm . mod n 

8. (Twice Amended) System according to claim 6, designed to give proof to an entity, 
known as a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 

said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 
said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 
by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 I , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj. Qi v = 1 . mod n or G; - Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 
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said public value G t being the square gj 2 of a base number g. smaller than the f prime 
factors p„ p 2 , ... p f ; the base number g. being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g; mod n and x 2 = - & mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g. 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pj and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q; and/or the f.m components Q u (Q u = Qj mod pj) of the private 
values Q; and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = r f v mod Pi 

where i*j is a random value associated with the prime number p { such that 0 < i*, < p i? each r, 
belonging to a collection of random values {r, , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d \ ... Q m dm mod n 

• or 

• • by performing operations of the type: 
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D, = r, . Q w dl . Q i>2 dZ . ... Q iim dm mod Pi 
• • and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
where as the witness device has transmission means, hereinafter called transmission means of the 
witness device, to transmit all or part of each commitment R to the demonstrator device through 
the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T through the connection means to the 
controller device, 

the controller device also has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of commitments R, 
the controller device also has transmission means, hereinafter called the transmission means of 
the controller, to transmit the challenges d to the demonstrator through the connection means; 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 15 p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 
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type 

Gj . Qj v = 1 . mod n or Gj = Qj V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square g s 2 of a base number gj smaller than the f prime 
factors p„ p 2 , ... p f ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gi 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Q s j (Q t . = Q; mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r< n, 
• or 

• • by performing operations of the type: 

Rj - mod p. 

where r s is a random value associated with the prime number p s such that 0 < r ; < p i; each i*j 
belonging to a collection of random values {r, , r 2 , ... r f } 5 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
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a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d \ ... Q m dm mod a 

• or 

• • by performing operations of the type: 

Di = r s . Qj , dl . Q i2 d2 . ... Q im dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises computation means, hereinafter called the computation 
means of the controller device, having m public values Gj, G2, G m , to firstly compute a 
reconstructed commitment R\ from each challenge d and each response D, this reconstructed 
commitment R f satisfying a relationship of the type 

R t ^ Gl dl . g 2 d 2 . ... G m dm . D v mod n 
or a relationship of the type 

R f = D v /G! d l . G 2 d2 . ». G m dm . mod n 
then, secondly, compute a token T 1 by applying the hashing function h having as arguments the 
message M and all or part of each reconstructed commitment R f , 

the controller device also has comparison means, hereinafter known as the comparison means of 
the controller device, to compare the computed token T r with the received token T. 

9. (Twice Amended) System according to claim 6, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
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Signing operation 

said system being such that it comprises a signing device associated with the signing entity, said 
signing device being interconnected with the witness device by interconnection means and 
possibly taking the form especially of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank card, 
said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 19 p 2 , ... p f? f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gi . Qi V = 1 . mod norGj = mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ( being the square gj 2 of a base number g; smaller than the f prime 
factors p„ p 2 , ... p f ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g. mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
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Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q f and/or the f.m components Q x j {Q U ] = Q s mod Pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri == rj v mod p s 

where r { is a random value associated with the prime number p f such that 0 < r t < p i? each r { 
belonging to a collection of random values {r, , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, d1 . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i = r i • Qi,l dl • Qi,2 • • Qi,m dm m ° d Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

• Step 2: act of challenge d 
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the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

•Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G,, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 1? p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G iB Qi v = 1 . mod nor Gj - Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G f being the square gj 2 of a base number g. smaller than the f prime 
factors pp p 2 , ... p f ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = g ; mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v ~ gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
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p. and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Q i? j (Q u = Q { mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = mod pj 

where i*j is a random value associated with the prime number p. such that 0 < r { < p i? each r s 
belonging to a collection of random values {r l , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Qj dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i -r i .Q M dl .Q i / 2 ....Q i)m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device through the 
interconnection means. 



18 



12, (Twice Amended) A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device also comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications network, to 
the controller device associated with the controller entity, said controller device especially taking 
the form of a terminal or remote server; 

said terminal device enabling the execution of the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qj v = 1 . mod n or Gj = Q ( v mod n; 

v designating a public exponent such that 

\ = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square of a base number g f smaller than the f prime 
factors p„ p 2 , ... p f ; the base number g ; being such that the following two conditions are met: 
neither of the two equations: 

x 2 = & mod n and x 2 = - g; mod n 
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can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g; 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q; and/or the f.m components Q f 1 (Q u = Q. mod pj) of the private 
values Q 4 and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r< n, 

• or 

• • by performing operations of the type: 

Ri =- r ; v mod p s 

where i*j is a random value associated with the prime number p; such that 0 < r t < p i? each iv 
belonging to a collection of random values {r, , r 2 , ... r f } 5 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i -r i .Q i / 1 .Q i2 d2 ....Q im dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
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where as the witness device has transmission means, hereinafter called the transmission means of 
the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device, 
through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device and 
the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product off prime factors p 15 p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G s . Qs v - 1 . mod norG^ Q^mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G { being the square gj 2 of a base number g; smaller than the f prime 
factors p 15 p 2 , ... p f ; the base number g, being such that the following two conditions are met: 
neither of the two equations: 

x 2 ~ g. mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
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the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q. and/or the f.m components Q u (Q. j = Q ( mod Pj ) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = r ; v mod pj 

where r f is a random value associated with the prime number Pi such that 0 < r s < p ; , each r, 
belonging to a collection of random values {r, , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

D i -r i .Q i / , .Q i2 d2 ....Q im dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 

• Step 4: act of checking 
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the transmission means of the demonstrator transmit each response D to the controller that carries 
out the check. 

13. (Twice Amended) Terminal device according to claim 11, designed to give proof to 
an entity, known as a controller, of the integrity of a message M associated with an entity known 
as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form- of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 

said terminal device being used to execute the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G 15 G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 19 p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G s . Q; v = 1 . mod norGj- Q t v mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 



23 



jr 1 -» Af 3 -ir!3; ^'^j i; >i{ 

m-tp 4I1 '"2? -i-lh 



*. IS :3\/i?l fi:X 



said public value G ( being the square g* of a base number g; smaller than the f prime 
factors p„ p 2 , ... p f ; the base number g; being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - g; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pj and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Q if j (Q u = Qj mod Pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Rj = mod Pj 

where r t is a random value associated with the prime number P; such that 0 < r. < p h each i*j 
belonging to a collection of random values {r l , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, d1 . Q 2 d \ ... Q m dm mod n 

• or 

• • by performing operations of the type: 
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D i - r i • Qi,i dl • Qm d2 - Qi,m dm mod Pi 
• * and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}; 
where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 
the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T, through the connection means, to the 
controller device, 

said controller, after having received the token T, produces challenges d equal in number to the 
number of commitments R, 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device and 
the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q 15 Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 
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G s . Qj v = 1 . mod n or G ; = Q s v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square g 2 of a base number & smaller than the f prime 
factors p 15 p 2 , ... p f ; the base number & being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = & 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pj and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q, and/or the f.m components Q i S (Q Ui - Q s mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

Rj = i*i V mod pj 

where r f is a random value associated with the prime number p ; such that 0 < r, < p i? each r, 
belonging to a collection of random values {r, , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 
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• either by performing operations of the type: 

D^r.Q/\Q 2 d2 . .~Q m dm modn 

• or 

• • by performing operations of the type: 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 

• Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller device which 
performs the check. 

14. (Twice Amended) Terminal device according to claim 11, designed to produce the 
digital signature of a message M } hereinafter known as the signed message, by an entity called a 
signing entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by interconnection 
means and possibly taking especially the form of logic microcircuits in a nomad object, for 
example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 
Signing operation 

said terminal device being used to execute the following steps: 
• Step 1 : act of commitment R 
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at each call, the means of computation of the commitments R of the witness device compute each 
commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p 19 p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G; . Qi v = 1 . mod n or Gj - Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square of a base number & smaller than the f prime 
factors p„ p 2 , ... p f ; the base number g f being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - g { mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q t and/or the f.m components Q u (Q i? j = Q t mod Pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
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where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R^iVmodp, 

where r- t is a random value associated with the prime number Pi such that 0 < r f < Pj , each r, 
belonging to a collection of random values {r, , r 2 , ... r ff }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d s 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Dj = T; . Q w dl . Q, 2 d \ ... Q i m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the signing device through 
the interconnection means, 

•Step 2: act of challenge d 
the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 
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the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... p f5 f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj. Qi v = 1 . mod n or G ; = Q^mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G ; being the square & 2 of a base number & smaller than the f prime 
factors p 15 p 2 , ... p f ; the base number g ; being such that the following two conditions are met: 
neither of the two equations: 

x 2 = a mod n and x 2 = - & mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q s and/or the f.m components Q; j (Q it , = Qi mod p s ) of the private 
values Q ; and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
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where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R. = i\ v mod Pi 

where r x is a random value associated with the prime number p { such that 0 < r { < p s , each r s 
belonging to a collection of random values {i^ , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D S r.Q 1 d, .Q 2 -2 ....Q B dn inodn 

• or 

• • by performing operations of the type: 

D t s r, . Q M dl . Q, 2 d2 . ... Q Um dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D}, 
where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, through the 
interconnection means. 

REMARKS 

The above preliminary amendment is made to insert the pages inadvertantly 
missing from the TEXT AS AMENDED section filed on July 24, 2001, and to remove multiple 
dependencies from claims 7, 8, 9, 12, 13 and 14. 
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Applicants respectfully request that the preliminary amendment described herein 
be entered into the record prior to calculation of the filing fee and prior to examination and 
consideration of the above-identified application. 

If a telephone conference would be helpful in resolving any issues concerning this 
communication, please contact Applicants' primary attorney-of record, John J. Gresens (Reg. No. 
33,112), at (612) 371.5265. 

Respectfully submitted, 

MERCHANT & GOULD P.C. 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(612) 332-5300 

Dated: October 23, 2001 
JJG/tvm 
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7. (Twice Amended) A system according to claim 6, designed to prove the authenticity of 
an entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj • Qi V = 1 . mod n or Gj = Qj v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value Gi being the square gj 2 of a base number gi smaller than the f prime 
factors pi, p 2 , ... Pr ; the base number gi being such that the following two conditions are met: 



neither of the two equations: 

x 2 = gi mod n and x 2 = - g s mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qi and/or the f.m components Q U } (Qi, j = Q\ mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = r s v mod pi 

where r s is a random value associated with the prime number p } such that 0 < r s < p is each r { 
belonging to a collection of random values {1*1 , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d { 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D^r.Qt dl .Q 2 d2 . .~ Q m dm modn 

• or 

• • by performing operations of the type: 

Di ^ n . Q M dl . Qi, 2 d2 . ... Qi,m dm mod Pi 

• • and then by applying the Chinese remainder method; 



said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d ? D} [process 
specified according to claim 1], 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device 
through the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after receiving 
all or part of each commitment R, of the challenges d equal in number to the number of 
commitments R, 

the controller device also has transmission means, hereinafter known as the transmission means 
of the controller, to transmit the challenges d to the demonstrator through the connection means. 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q m and public values Gi, G 2 , ... G m? m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qj V = 1 . mod n or Gj = Q s v mod n; 

v designating a public exponent such that 



v = 2 k 

where k is a security parameter greater than 1; 

said public value Gj being the square gj 2 of a base number g\ smaller than the f prime 
factors pi, P2, ... Pf ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qi and/or the f.m components Q h j (Q is j = Qj mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = i*j V mod pi 

where rj is a random value associated with the prime number pi such that 0 < n < pu each i*j 
belonging to a collection of random values {1*1 , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d\ 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Qi dl . Q 2 d2 . ... Q m dm mod n 



• or 

• • by performing operations of the type: 

Di = r s . Qi,i dl . Q i)2 d2 . ... Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

• Step 4; act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises: 

- computation means, hereinafter called the computation means of the controller device, 

- comparison means, hereinafter called the comparison means of the controller device, 
case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each commitment R, the 
computation means of the controller device, having m public values Gj, G2, G m , compute a 
reconstructed commitment R', from each challenge d and each response D, this reconstructed 
commitment R f satisfying a relationship of the type 

R f = Gj . G 2 62 . ... G m dm . D v mod n 
or a relationship of the type 

R' s D v /G! dl . G 2 d2 - ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed commitment R* with 
all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment R 

if the transmission means of the demonstrator have transmitted the totality of each commitment 
R, the computation means and the comparison means of the controller device, having m public 
values Gj, G 29 G m , ascertain that each commitment R satisfies a relationship of the type 

R = G\ dl . G 2 d2 . ». G m dm . D v mod n 
or a relationship of the type 

R = D v /G! dl . G 2 d2 - ». G m dm . mod n 



8. (Twice Amended) System according to claim 6, designed to give proof to an entity, 
known as a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 

said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said demonstrator device 
being interconnected with the witness device by interconnection means and possibly taking the 
form especially of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device especially 
taking the form of a terminal or remote server, said controller device comprising connection 
means for its electrical, electromagnetic, optical or acoustic connection, especially through a 
data-processing communications network, to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, ... Q m and public values d, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qi V = 1 . mod n or Gj = Qi V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gj 2 of a base number gi smaller than the f prime 
factors pi, P2, ... Pf ; the base number gi being such that the following two conditions are met: 



neither of the two equations: 

x = gi mod n and x = - g s mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qi and/or the f.m components Qi, j (Q i? j = Q s mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

R ; = ri V mod pi 

where rj is a random value associated with the prime number p s such that 0 < r s < p i? each i*i 
belonging to a collection of random values {ri , n , ... rf} 3 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Qi dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di = r, . Qi,i dl . Qi, 2 d2 . ... Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 



said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified in claim 1], 

where as the witness device has transmission means, hereinafter called transmission means of the 
witness device, to transmit all or part of each commitment R to the demonstrator device through 
the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T through the connection means to the 
controller device, 

the controller device also has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of commitments R, 
the controller device also has transmission means, hereinafter called the transmission means of 
the controller, to transmit the challenges d to the demonstrator through the connection means; 

• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the demonstrator device through the interconnection means, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, ... Q m and public values Gi, G2, ... G m , m 
being greater than or equal to 1 1 9 or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, P2, ... pr, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 



Gi . Qj V = 1 . mod n or Gj ~ Q s v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gi 2 of a base number gi smaller than the f prime 
factors pi, p 2 , ... Pf ; the base number gi being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gi mod n and x 2 = - gi mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Qi, j (Qi, j = Qi mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

R s == i*i V mod pi 

where i*i is a random value associated with the prime number p 4 such that 0 < r s < p i? each r t 
belonging to a collection of random values {1*1 , r 2 , .-- rf} 3 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d ; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 



• either by performing operations of the type: 

D = r . Q, dl . Q 2 d \ ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di se n . Qi,i dl . Q i)2 d2 . ... Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises computation means, hereinafter called the computation 
means of the controller device, having m public values Gj, G2, ...» G m , to firstly compute a 
reconstructed commitment R\ from each challenge d and each response D, this reconstructed 
commitment R 1 satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = D v /G! dl . G 2 d2 . ». G m dm . mod n 
then, secondly, compute a token T 1 by applying the hashing function h having as arguments the 
message M and all or part of each reconstructed commitment R 1 , 

the controller device also has comparison means, hereinafter known as the comparison means of 
the controller device, to compare the computed token T f with the received token T. 

9. (Twice Amended) System according to claim 6, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 



Signing operation 

said system being such that it comprises a signing device associated with the signing entity, said 
signing device being interconnected with the witness device by interconnection means and 
possibly taking the form especially of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank card, 
said system enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, ... Q m and public values Gi, G2, ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, P2, ... pr, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

G; . Qj v - 1 . mod n or Gj = Q; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gi being the square gi 2 of a base number gj smaller than the f prime 
factors pi, P2, ... Pf ; the base number g\ being such that the following two conditions are met: 
neither of the two equations: 

x 2 = & mod n and x 2 = - g ; mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gi 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 



Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q* and/or the f.m components Q is j (Q*, j = Q s mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = i*i V mod pi ( 
where i*j is a random value associated with the prime number pi such that 0 < n < p i? each r\ 
belonging to a collection of random values {1*1 , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d ? each challenge d comprising m integers d; 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q t dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di = r ; . Qi,i dl . Q i>2 d2 . ... Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

• Step 2: act of challenge d 



the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2? ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... pr, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gi . Qj V = 1 . mod n or Gj = Qj v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gi being the square g; 2 of a base number gi smaller than the f prime 
factors pi, p 2? ... pr ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gi mod n and x 2 = - gi mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 



Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q t and/or the f.m components Q s> j (Q^j = Qj mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = i*i V mod pi 

where r\ is a random value associated with the prime number pj such that 0 < r\ < pi, each i*j 
belonging to a collection of random values {1*1 , r 2 , ... rf}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d\ 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q] dl . Q 2 d2 . ... Q m Am mod n 

• or 

• • by performing operations of the type: 

Di = r ; . Q M dl . Qs, 2 d2 . ... Q i>m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device through the 
interconnection means. 



12. (Twice Amended) A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device also comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications network, to 
the controller device associated with the controller entity, said controller device especially taking 
the form of a terminal or remote server; 

said terminal device enabling the execution of the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, ... Q m and public values Gi, G2, ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qi V = 1 . mod n or Gj = Qi V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gi 2 of a base number gi smaller than the f prime 
factors pi, P29 Pr ; the base number gi being such that the following two conditions are met: 
neither of the two equations: 

x 2 5= gj mod n and x 2 = - g s mod n 



can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qi and/or the f.m components Q i? j (Qi, j = Qj mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = ri V mod pj 

where r ; is a random value associated with the prime number pj such that 0 < n < p is each i*j 
belonging to a collection of random values {rj , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Qt dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di = n . Q M dl . Q i)2 d2 . . . . Q i>m dm mod Pi 

• • and then by applying the Chinese remainder method; 



said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

where as the witness device has transmission means, hereinafter called the transmission means of 
the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission means 
of the demonstrator, to transmit all or part of each commitment R to the controller device, 
through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device 
and the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qj V = 1 . mod n or Gi = Q; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square gi 2 of a base number g s smaller than the f prime 
factors pi, p 2 , ... Pf ; the base number gj being such that the following two conditions are met: 



neither of the two equations: 

x 2 ~ gi mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components j (Qj, j = Q ; mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = i*i V mod pi 

where i*j is a random value associated with the prime number p ; such that 0 < i*i < p i? each ri 
belonging to a collection of random values {r\ , r 2 , ... r f } ? 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers di 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di s n . Q M dl . Qi, 2 d2 . ... Qi, m dm mod Pi 

• • and then by applying the Chinese remainder method; 



ij^r^-jj^J- n«j!-^si J ^i f A iL,}. .- ( ^4, if, J - J , ti 1 .Tl!™-« ,1^.0.. 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller that 
carries out the check. 

13. (Twice Amended) Terminal device according to claim 11, designed to give proof to 
an entity, known as a controller, of the integrity of a message M associated with an entity known 
as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated with the 
demonstrator entity, said demonstrator device being interconnected with the witness device by 
interconnection means and being capable especially of taking the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank card, 
said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 

said terminal device being used to execute the following steps: 

• Step 1 : act of commitment R 

at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q m and public values Gi, G2, ... G m? m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... Pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 



Gj . Qj V ^ 1 . mod n or Gj = Q; v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gj 2 of a base number g; smaller than the f prime 
factors pi, p 2 , ... Pf ; the base number gi being such that the following two conditions are met: 
neither of the two equations: 

x 2 === gj mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gi 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Qi, j (Qi, j = Qi mod pj) of the private 
values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

Ri = i*i V mod pj 

where r; is a random value associated with the prime number ps such that 0 < i*i < p ; , each r\ 
belonging to a collection of random values {ri , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers di 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 



• either by performing operations of the type: 

D = r . Q! dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di = r, . Q if , dl . Q i)2 d2 - ~. Q ifm dm mod Pi 

* • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1]; 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the demonstrator device 
through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 

the demonstrator device comprises computation means, hereinafter called the computation means 
of the demonstrator, applying a hashing function h whose arguments are the message M and all 
or part of each commitment R to compute at least one token T, 

the demonstrator device also has transmission means, hereinafter known as the transmission 
means of the demonstrator device, to transmit each token T, through the connection means, to 
the controller device, 

said controller, after having received the token T, produces challenges d equal in number to the 
number of commitments R, 

the means of reception of the challenges d of the witness device receive each challenge d coming 
from the controller device through the connection means between the controller device and the 
demonstrator device and through the interconnection means between the demonstrator device 
and the witness device, 

the means of computation of the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q m and public values d, G 2 , ... G m , m 



being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... pf, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gi . Qj v = 1 . mod n or Gj = Qj V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square gi 2 of a base number gi smaller than the f prime 
factors pi, p2, ... Pf ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gi mod n and x 2 = - g s mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v == gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 
Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qi and/or the f.m components Qj, j (Qi, j s= Q; mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
• or 

• • by performing operations of the type: 

Rj = i*i V mod pi 

where rj is a random value associated with the prime number p s such that 0 < i*i < pj, each i*j 
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belonging to a collection of random values {1*1 , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 
- the witness receives one or more challenges d, each challenge d comprising m integers d s 

hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 
D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 
Di ^ r 8 . Q M dI . Q i2 d2 . ... Q l>m dm mod Pi 

• • and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

• Step 4: act of checking 
the transmission means of the demonstrator send each response D to the controller device which 
performs the check. 

14. (Twice Amended) Terminal device according to claim 11, designed to produce the 
digital signature of a message M, hereinafter known as the signed message, by an entity called a 
signing entity; 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by interconnection 
means and possibly taking especially the form of logic microcircuits in a nomad object, for 
example the form of a microprocessor in a microprocessor-based bank card, 



said demonstrator device comprising connection means for its electrical, electromagnetic, optical 
or acoustic connection, especially through a data-processing communications network, to the 
controller device associated with the controller entity, said controller device especially taking the 
form of a terminal or remote server; 
Signing operation 

said terminal device being used to execute the following steps: 

• Step 1 : act of commitment R 
at each call, the means of computation of the commitments R of the witness device compute 
each commitment R by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... pr, f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gi . Qj V = 1 , mod n or Gj = Qi V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gj 2 of a base number g ( smaller than the f prime 
factors pi, p 2? ... pf ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 



Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Qj and/or the f.m components Q s , j (Q u - Qj mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Rj = r*i V mod pi 

where r { is a random value associated with the prime number p. such that 0 < r. < p i? each r t 
belonging to a collection of random values {1*1 , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers d t 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D s r . Q x dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Ds ^ n . Qi,i dI . Qi, 2 d2 . ... Q,, m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

where as the witness device has means of transmission, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the signing device through 
the interconnection means, 

• Step 2: act of challenge d 
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the signing device comprises computation means, hereinafter called the computation means of 
the signing device, applying a hashing function h whose arguments are the message M and all or 
part of each commitment R to compute a binary train and extract, from this binary train, 
challenges d whose number is equal to the number of commitments R, 

• Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each challenge d 
coming from the signing device through the interconnection means, 

the means for computing the responses D of the witness device compute the responses D from 
the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q u Q 2 , ... Q m and public values d, G 2 , ... G m , m 
being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p 2 , ... p f , f being 
greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the following 

type 

Gj . Qj V = 1 . mod n or Gj = Q s v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G s being the square g, 2 of a base number gj smaller than the f prime 
factors pi, p 2 , ... p f ; the base number gj being such that the following two conditions are met: 
neither of the two equations: 

x 2 = gj mod n and x 2 = - g } mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime factors 



Pi and/or parameters of the Chinese remainders of the prime factors and/or the public modulus n 
and/or the m private values Q s and/or the f.m components Q S) j (Q u = Q t mod pj) of the private 
values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri-r^mod Pi 

where r t is a random value associated with the prime number pi such that 0 < i*i < p i? each r { 
belonging to a collection of random values {n , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m integers dj 
hereinafter called elementary challenges; the witness, on the basis of each challenge d, computes 
a response D, 

• either by performing operations of the type: 

D r . Q, dl . Q 2 d2 . ... Q ra dm mod n 

• or 

• • by performing operations of the type: 

D s - n . Q u dl . Qi, 2 d2 . ... Q Um dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as there are 
commitments R, each group of numbers R, d, D forming a triplet referenced {R, d, D} [process 
specified according to claim 1], 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, through the 
interconnection means. 
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Method for proving the authenticity of an entity and/or the integrity of a 
message by means of a public exponent equal to the power of two 

The present invention relates to the methods, systems and devices designed to 
prove the authenticity of an entity and/or the integrity and/or authenticity of a 
message. 

The patent EP 0 311 470 Bl, whose inventors are Louis Guillou and Jean- 
Jacqucs Quisquater, describes such a method. Hereinafter, reference shall be made 
to their work by the terms "GQ patent" or "GQ method". Hereinafter, the expression 
"GQ2", or "GQ2 invention" or "GQ2 technology" shall be used to describe the 
present invention. - - - 

According to the GQ method, an entity known as a "trusted authority" assigns 
an identity to each entity called a "witness" and computes its RSA signature. In a 
customizing process, the trusted authority gives the witness an identity and signature. 
Thereafter, the witness declares the following: "Here is my identity; I know its RSA 
signature The witness proves that he knows the RSA signature of his identity 
without revealing this signature. Through the RSA public identification key 
distributed by the trusted authority, an entity known as a "controller" ascertains, 
without obtaining knowledge thereof, that the RSA signature corresponds to the 
declared identity. The mechanisms using the GQ method run "without transfer of 
knowledge". According to the GQ method, the witness does not know the RSA 
private key with which the trusted authority signs a large number of identities. 

The GQ technology described here above makes use of RSA technology. 
However, while the RSA technology truly depends on the factorization of the 
modulus n, this dependence is not an equivalence, indeed far from it, as can be seen 
in what are called multiplicative attacks against various standards of digital 
signatures implementing the RSA technology. 

The goal of the GQ2 technology is twofold: firstly to improve the performance 
characteristics of RSA technology and secondly to avert the problems inherent in 
RSA technology. Knowledge of the GQ2 private key is equivalent to knowledge of 
the factorization of the modulus n. Any attack on the triplets GQ2 leads to the 



factorization of the modulus n: this time there is equivalence. With the GQ2 
technology, the work load is reduced for the signing or self-authenticating entity and 
for the controller entity. Through a better use of the problem of factorizing in terms 
of both security and performance, the GQ2 technology averts the drawbacks of RSA 
technology. 

The GQ method implements modulo computations of numbers comprising 512 
bits or more. These computations relate to numbers having substantially the same 
size raised to powers of the order of 2 16 + 1. Now, existing microelectronic 
infrastructures, especially in the field of bank cards, make use of monolithic self- 
programmable microprocessors without arithmetical coprocessors. The work load 
related to multiple arithmetical applications involved in methods such as the GQ 
method leads to computation times which, in certain cases, prove to be 
disadvantageous for consumers using bank cards to pay for their purchases. It may 
be recalled here that, in seeking to increase the security of payment cards, the 
banking authorities have raised a problem that is particularly difficult to resolve. 
Indeed, two apparently contradictory questions have to be resolved: on the one hand, 
increasing security by using increasingly lengthy and distinct keys for each card 
while, on the other hand, preventing the work load from leading to excessive 
computation times for the user. This problem becomes especially acute inasmuch as 
it is also necessary to take account of the existing infrastructure and the existing 
microprocessor components. 

The GQ2 technology provides a solution to this problem while boosting 
security. 

Method 

More particularly, the invention relates to a method designed to prove the 
following to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 
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- m pairs of private values Q u Q 2 , ... Q m and public values G t , G 2 , ». G m 
(m being greater than or equal to 1), 

- a public modulus n constituted by the product of f prime factors p 1? p 2 , ... Pf 
(f being greater than or equal to 2), 

5 - a public exponent v. 

Said modulus, said exponent and said values are related by relations of the type 

Gi.Qi V -l . mod n or G { s Q s v mod n . 
Said exponent v is such that 

v = 2 k 

10 - where k is a security parameter greater than 1 . 

Said public value G; is the square g- 2 of a base number g; smaller than the f 
prime factors p u p 2 , ... Pr The base number g ; is such that 
the two equations: 

x 2 = gi mod n and x 2 s= - g; mod n 

15 cannot be resolved in x in the ring of integers modulo n and such that: 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n. 

Said method implements an entity called a witness in the following steps. Said 
20 witness entity has f prime factors piand/or parameters of the Chinese remainders of 
the prime factors and/or the public modulus n and/or the m private values Q ; and/or 
the f.m components Qjj (Q it j == Q { mod pj) of the private values Q s and of the public 
exponent v. 

The witness computes commitments R in the ring of integers modulo n. Each 
25 commitment is computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

30 • • by performing operations of the type: 
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Ri = r { v mod p { 

where r; is a random value associated with the prime number p ; such that 0 < r 4 < p i? 
each i*i belonging to a collection of random values , r 2 , ... r f }, 

• • then by applying the Chinese remainder method. 

5 The witness receives one or more challenges d. Each challenge d comprises m 

integers d* hereinafter called elementary challenges. The witness, on the basis of 
each challenge d, computes a response D, 

• either by performing operations of the type: 

D = r . Qi dl . Q 2 d2 . „. Q m dm mod n 
10 • or * — • • 

• • by performing operations of the type: 

Di = r, . Q M dl . Oi, 2 d2 . Qi, m dm mod Pi 
and then by applying the Chinese remainder method. 

The method is such that there are as many responses D as there are challenges 
15 d as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

Case of the proof of the authenticity of an entity 
In a first alternative embodiment, the method according to the invention is 
designed to prove the authenticity of an entity known as a demonstrator to an entity 
20 known as the controller. Said demonstrator entity comprises the witness. Said 
demonstrator and controller entities execute the following steps: 

• Step 1: act of commitment R 

At each call, the witness computes each commitment R by applying the 
process specified here above. The demonstrator sends the controller all or part of 
25 each commitment R. 

• Step 2: act of challenge d 

The controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator. 
30 • Step 3: act of response D 
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The witness computes the responses D from the challenges d by applying the 
above-specified process. 

* Step 4: act of checking 

The demonstrator sends each response D to the controller. 
5 First case: the demonstrator has transmitted a part of each commitment 

R 

If the demonstrator has transmitted a part of each commitment R, the 
controller, having the m public values Gj, G 2 , G m , computes a reconstructed 
commitment R\ from each challenge d and each response D, this reconstructed 
10 commitment R' satisfying a relationship of the type 

R' = G l d l . G 2 d2 . G m dm . DV mod n 
or a relationship of the type 

R 1 == D v /Gj dl . G 2 d2 . ... G m dm . mod n 
The controller ascertains that each reconstructed commitment R f reproduces 
15 all or part of each commitment R that has been transmitted to it. 

Second case: the demonstrator has transmitted the totality of each 
commitment R 

If the demonstrator has transmitted the totality of each commitment R, the 
controller, having the m public values Gj, G 2 , G m , ascertains that each 
20 commitment R satisfies a relationship of the type 

R == Gj d l . G 2 d2 - ... G m dm . D v mod n 
or a relationship of the type 

R = D v /G x dl . G 2 d2 . ... G m dm # mod n 
Case of the proof of the integrity of the message 
25 In a second alternative embodiment capable of being combined with a first 

one, the method of the invention is designed to provide proof to an entity, known as 
the controller entity, of the integrity of a message M associated with an entity called 
a demonstrator entity. Said demonstrator entity comprises the witness. Said 
demonstrator and controller entities perform the following steps: 
30 • Step 1: act of commitment R 



At each call, the witness computes each commitment R by applying the 
process specified here above. 

• Step 2: act of challenge d 

The demonstrator applies a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute at least one token T. 
The demonstrator sends the loken T to the controller. The controller, after having 
received a token T, produces challenges d equal in number to the number of 
commitments R and sends the challenges d to the demonstrator. 

• Step 3: act of response D 

The witness computes the responses D from the challenges d by applying the 
above-specified process. 

• Step 4: act of checking 

The demonstrator sends each response D to the controller. The controller, 
having the m public values Gj, G2, G m , computes a reconstructed commitment 
R f , from each challenge d and each response D, this reconstructed commitment R f 
satisfying a relationship of the type 

R' = G 1 dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R f = D^Gx d l . G 2 d2 . .» G m dl " . mo d n 
Then the controller applies the hashing function h whose arguments are the 
message M and all or part of each reconstructed commitment R' to reconstruct the 
token TV Then the controller ascertains that the token T ? is identical to the token T 
transmitted. 

Digital signature of a message and proof of its authenticity 

In a third alternative embodiment capable of being combined with the above 
two, the method according to the invention 1 is designed to produce the digital 
signature of a message M by an entity known as the signing entity. Said signing 
entity includes the witness. 

Signing operation 
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Said signing entity executes a signing operation in order to obtain a signed 
message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 
5 - the responses D. 

Said signing entity executes the signing operation by implementing the 
following steps: 

• Step 1: act of commitment R 

At each call, the witness computes each commitment R by applying the 
10 — process specified here above. — 

• Step 2: act of challenge d 

The signing party applies a hashing function h whose arguments are the 
message M and each commitment R to obtain a binary train. From this binary train, 
the signing party extracts challenges d whose number is equal to the number of 
1 5 commitments R. 

• Step 3: act of response D 

The witness computes the responses D from the challenges d by applying the 
above-specified process. 
Checking operation 

20 To prove the authenticity of the message M, an entity called a controller 

checks the signed message. Said controller entity having the signed message carries 
out a checking operation by proceeding as follows. 

• Case where the controller has commitments R, challenges d, responses D 

If the controller has commitments R, challenges d, responses D, the controller 
25 ascertains that the commitments R, the challenges d and the responses D satisfy 
relationships of the type 

R = G 1 dl . G 2 d2 . ... G m d ™ . mod n 
or relationships of the type: 

R s D^/Gx dl . G 2 d2 . ... G m d ™ m mod n 
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Then the controller ascertains that the message M„ the challenges d and the 
commitments R satisfy the hashing function: 
d = h (message, R) 

• Case where the controller has challenges d and responses D 

If the controller has challenges d and responses D, the controller reconstructs, 
on the basis of each challenge d and each response D, commitments R' satisfying 
relationships of the type 

R' = G X dl . G 2 d2 . ». G m dm . D v mod n 
or relationships of the type: 

R' = DV/Gx dl . G 2 d l . ... G m dm . mod n 

Then the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R') 

• Case where the controller has commitments R and responses D 

If the controller has commitments R and responses D, the controller applies 
the hashing function and reconstructs d' 
d* = h (message, R) 

Then the controller device ascertains that the commitments R, the challenges 
d' and the responses D satisfy relationships of the type 

R = Gj d'l . G2 d'2 . _ Gm d'm m D v mod n 

or relationships of the type: 

R be DVGi d'l . G 2 d? 2 . ... G m d f m . mod n 

System 

The present invention also relates to a system designed to prove the following 
to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 

- m pairs of private values Q,, Q 2 , ... Q m and public values G u G 2 , ... G m 



(m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p l5 p 2 , 
... p f (f being greater than or equal to 2), 

- a public exponent v. 

Said modulus, said exponent and said values are linked by relations of the type 

G; . Qi v = 1 . mod n or Gj = Qj v mod n . 
Said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value Gj is the square gj 2 of the base number gj smaller than the f 
prime factors p,, p 2 , ... p f . The base number gj is such that the two equations: 

x 2 = oJ mod n and x 2 = - g { mod n 
cannot be resolved in x in the ring of integers modulo n and such that the equation: 

x v = g^ mod n 
can be resolved in x in the ring of the integers modulo n. 

Said system comprises a witness device, contained especially in a nomad 
object which, for example, takes the form of a microprocessor-based bank card. The 
witness device comprises a memory zone containing the f prime factors p { and/or the 
parameters of the Chinese remainders of the prime factors and/or the public modulus 
n and/or the m private values Q; and/or f.m components Q if j (Q ifj = Q s mod pj) of 
the private values Qjand of the public exponent v. The witness device also 
comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation mean:,, hereinafter called means for the computation of 
commitments R of the witness device. 

The computation means compute commitments R in the ring of integers 
modulo n. Each commitment is computed: 

• either by performing operations of the type: 

R = r v mod n 



10 



where r is a random value produced by the random value production means, r being 
such that 0 < r < n, 

• or by performing operations of the type: 

Ri = rj V mod p; 

where r { is a random value associated with the prime number p ; such that 0 < r s < p i? 
each r { belonging to a collection of random values {r 1 , r 2 , ... r f }, then by applying 
the Chinese remainder method. 

The witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness -device, to receive one or more challenges d; each 
challenge d comprising m integers d* hereinafter called elementary challenges. 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

♦ either by performing operations of the type: 

D s r.Q, dl .Q 2 d2 . ...Q m dm modn 
• or by performing operations of the type: 

Di = r s Q M dl . Q l2 d2 . ... Q i?m dm mo d Pi 
and then by applying the Chinese remainder method. 

The witness device also comprises transmission means to transmit one or more 
commitments R and one or more responses D. There are as many responses D as 
there are challenges d as there are commitments R, each group of numbers R, d, D 
forming a triplet referenced {R, d, D}. 

Case of the proof of the authenticity of an entity 

In a first alternative embodiment, the system according to the invention is 
designed to prove the authenticity of an entity called a demonstrator to an entity 
called a controller. 

Said system is such that it comprises a demonstrator device associated with a 
demonstrator entity. Said demonstrator device is interconnected with the witness 
device by interconnection means. It may especially take the form of logic 
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microcircuits in a nomad object, for example the form of a microprocessor in a 
microprocessor-based bank card. 

Said system also comprises a controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the demonstrator device. 

Said system is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means^of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. The demonstrator device 
also has transmission means, hereinafter called the transmission means of the 
demonstrator, to transmit all or part of each commitment R to the controller device 
through the connection means. 

• Step 2: act of challenge d 

The controller device comprises challenge production means for the 
production, after receiving all or part of each commitment R, of the challenges d 
equal in number to the number of commitments R. The controller device also has 
transmission means, hereinafter known as the transmission means of the controller, 
to transmit the challenges d to the demonstrator through the connection means. 

• Step 3: act of response D 

The means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means. The means of computation of the responses D of the witness device compute 
the responses D from the challenges d by applying the process specified here above. 

• Step 4: act of checking 
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The transmission means of the demonstrator transmit each response D to the 
controller. The controller device also comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device. 

First case: the demonstrator has transmitted a part of each commitment R. 

If the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G 2 , G m , compute a reconstructed commitment R f , from each 
challenge d and each response D, this reconstructed commitment R f satisfying a 
relationship of the type 

R' = G! dl . g 2 d2 . ... Gm dm . D v mod n 
or a relationship of the type 

R' ss Dv/d dl . G 2 d2 . ... G m dm . mod n 
The comparison means of the controller device compare each reconstructed 
commitment R f with all or part of each commitment R received. 

Second case: the demonstrator has transmitted the totality of each 
commitment R 

If the transmission means of the demonstrator have transmitted the totality of 
each commitment R, the computation means and the comparison means of the 
controller device, having m public values G 1? G 2 , G m , ascertain that each 
commitment R satisfies a relationship of the type 

R ^ G X dl . g 2 d2 . ... Gfn dm ^ D v mod n 
or a relationship of the type 

R - DV/ Gl dl . g 2 d2 . _ Gm dm . mod n 
Case of the proof of the integrity of a message 

In a second alternative embodiment capable of being combined with the first 
one, the system according to the invention is designed to give proof to an entity, 
known as a controller, of the integrity of a message M associated with an entity 
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known as a demonstrator. Said system is such that it comprises a demonstrator 
device associated with the demonstrator entity. Said demonstrator device is 
interconnected with the witness device by interconnection means. Said demonstrator 
device may especially take the form of logic microcircuits in a nomad object, for 
example the form of a microprocessor in a microprocessor-based bank card. Said 
system also comprises a controller device associated with the controller entity. Said 
controller device especially takes the form of a terminal or remote server. Said 
controller device comprises connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to the demonstrator device. 

Said system is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. 

• Step 2: act of challenge d 

The demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T. The demonstrator device also has transmission means, hereinafter 
known as the transmission means of the demonstrator device, to transmit each token 
T through the connection means to the controller device. The controller device also 
has challenge production means for the production, after having received the token 
T, of the challenges d in a number equal to the number of commitments R. The 
controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means. 

• Step 3: act of response D 
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The means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means. The means of computation of the responses D of the witness device compute 
the responses D from the chaMenges d by applying the process specified here above. 

• Step 4: act of checking 

The transmission means of the demonstrator transmit each response D to the 
controller. The controller device also comprises computation means, hereinafter 
called the computation means of the controller device, having m public values Gj, 
G2 ? G m , to firstly compute a reconstructed commitment R f , from each challenge 
d and each response D, this reconstructed commitment R f satisfying a relationship of - 
the type 

R' = Gx dl . c 2 d2 . ... G m dm m D v mod n 

or a relationship of the type 

R< = DV/ Gl dl . G 2 d2 . ... G m dm m mod n 

then, secondly, compute a token T 1 by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 

The controller device also has comparison means, hereinafter known as the 
comparison means of the controller device, to compare the computed token T 1 with 
the received token T. 

Digital signature of a message and proof of its authenticity 
In a third alternative embodiment capable of being combined with either or 
both of the first two embodiments, the system according to the invention is designed 
to prove the digital signature of a message M, hereinafter known as a signed 
message, by an entity called a signing entity. The signed message comprises: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 
Signing operation 

Said system is such that it comprises a signing device associated with the 
signing entity. Said signing device is interconnected with the witness device by 
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interconnection means. It may especially take the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card. 

Said system is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. - 

• Step 2: act of challenge d 

The signing device comprises computation means, hereinafter called the 
computation means of the signing device, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute a 
binary train and extract, from this binary train, challenges d whose number is equal 
to the number of commitments R. 

• Step 3: act of response D 

The means for the reception of the challenges d of the witness device receive 
each challenge d coming from the signing device through the interconnection means. 
The means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. 

The witness device comprises transmission means, hereinafter called means 
of transmission of the witness device, to transmit the responses D to the signing 
device through the interconnection means. 

Checking operation 

To prove the authenticity of the message M, an entity known as the controller 
checks the signed message. 

The system comprises a controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. Said controller device comprises connection means for its electrical, 
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electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the signing device. 

The signing device associated with the signing entity comprises transmission 
means, hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means. Thus the controller device has a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 

„ The controller device comprises: _ _ 

- computation means hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device. 

• Case where the controller device has commitments R, challenges d, 
responses D 

Should the controller device have commitments R, challenges d, responses D, 
the computation and comparison means of the controller device ascertain that the 
commitments R, the challenges d and the responses D satisfy relationships of the 
type 

R = G X dl . G 2 d2 . ... G m dm . D v mod n 

or relationships of the type 

R s Dv/d dl . G 2 d2 . ... Gm dm . mod n 

Then, the computation and comparison means of the controller device 
ascertain that the message M, the challenges d and the commitments R satisfy the 
hashing function: 

d = h (message, R) 
* Case where the controller device has challenges d and responses D 
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If the controller has challenges d and responses D, the controller reconstructs, on the 
basis of each challenge d and each response D, commitments R' satisfying 
relationships of the type 

R' s Gi dl . G 2 d2 . ... G m dm . DV mod n 
or relationships of the type: 

R' = D^/Gx dl . G 2 d2 . ... G m d m . mod n 

Then the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R') 
• Case where the controller has commitments R and responses D 

If the controller has commitments R and responses D, the computation means 
of the controller device apply the hashing function and compute d' such that 
d r = h (message, R) 

Then the computation and comparison means of the controller device 
ascertain that the commitments R, the challenges d ' and the responses D satisfy 
relationships of the type 

R = Gx dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R = DV/Gx dl . G 2 d2 . ... G m dm . mod n 

"~ Terminal Device 

The invention also relates to a terminal device associated with an entity. The 
terminal device especially take the form of a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card. The terminal device is 
designed to prove the following to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 

- m pairs of private values Q 1? Q 2 , ... Q m and public values G l9 G 2 , ... G m 
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(m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p l5 p 2 , 
... p f (f being greater than or equal to 2), 

- a public exponent v. 

Said modulus, said exponent and said values are related by relations of the type 

Gi . Qi v = 1 . mod n or G { == mod n . 
Said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value G { is the square gj 2 of the base number gi smaller than the f 
prime factors p l9 p 2 , ... Pf. The base number g t is such that: 
the two equations: 

x 2 ~ gi mod n and x 2 = - g { mod n 
cannot be resolved in x in the ring of integers modulo n and such that 
the equation: 

x v = mod n 

can be resolved in x in the ring of the integers modulo n. 

Said terminal device comprises a witness device comprising a memory zone 
containing the f prime factors pj and/or the parameters of the Chinese remainders of 
the prime factors and/or the public modulus n and/or the m private values Qj and/or 
f.m components Q it i (Q u = Q; mod pj) of the private values Q ; and of the public 
exponent v. 

The witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 
integers modulo n. 

Each commitment is computed: 
• either by performing operations of the type: 
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R = r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r< n, 

• or by performing operations of the type: 

Ri = ri V mod pi 

where rjis a random value associated with the prime number p { such that 0 < ^< p i? 
each ri belonging to a collection of random values {r t , r 2 , ... r f } produced by the 
random value production means, then by applying the Chinese remainder method. 
The witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers di hereinafter called elementary challenges. 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device, for the computation, on the basis of each 
challenge d, of a response D, 

• either by performing operations of the type: 

D = r . Qj dl . Q 2 d2 . ... Q m dm mod n 

* or by performing operations of the type: 

Di = n • Q u dl . Q U2 d2 . ... Qi, m dm mod Pi 
and then by applying the Chinese remainder method. 

Said witness device also comprises transmission means to transmit one or more 
commitments R and one or more responses D. There are as many responses D as 
there are challenges d as there are commitments R. Each group of numbers R, d, D 
forms a triplet referenced {R, d ? D}. 

Case of the proof of the authenticity of an entity 

In a first alternative embodiment, the terminal device according to the 
invention is designed to prove the authenticity of an entity called a demonstrator to 
an entity called a controller. 

Said terminal device is such that it comprises a demonstrator device 
associated with a demonstrator entity. Said demonstrator device is interconnected 
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with the witness device by interconnection means. It may especially take the form of 
logic microcircuits in a nom?d object, for example the form of a microprocessor in a 
microprocessor-based bank card. 

Said demonstrator device also comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. 

Said terminal device is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 

The witness device has means of transmission, hereinafter called transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. The demonstrator device 
also has transmission means, hereinafter called the transmission means of the 
demonstrator, to transmit all or part of each commitment R to the controller device, 
through the connection means. 

• Steps 2 and 3: act of challenge d, act of response D 

The means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device. The 
means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. 

• Step 4: act of checking 

The transmission means of the demonstrator transmit each response D to the 
controller that carries out the check. 

Case of the proof of the integrity of a message 
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In a second alternative embodiment capable of being combined with the first 
one, the terminal device according to the invention is designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator. Said terminal device is such that it comprises a 
demonstrator device associated with the demonstrator entity. Said demonstrator 
device is interconnected with the witness device by interconnection means. It may 
especially take the form of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank card. Said demonstrator 
device comprises connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the controller device associated with the controller entity. Said controller device 
especially takes the form of a terminal or remote server. 

Said terminal device is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. 

• Steps 2 and 3: act of challenge d, act of response D 

The demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T. The demonstrator device also has transmission means, hereinafter 
known as the transmission means of the demonstrator device, to transmit each token 
T, through the connection means, to the controller device. 

Said controller, after having received the token T, produces challenges d in a 
number equal to the number of commitments R 

The means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 



22 



between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device. The 
means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. 
• Step 4: act of checking 

The transmission means of the demonstrator send each response D to the 
controller device which performs the check. 

Digital signature of a message and proof of its authenticity 

In a third alternative embodiment capable of being combined with either or 
both of the first two embodiments, the terminal device according to the invention is 
designed to produce the digital signature of a message M, hereinafter known as a 
signed message, by an entity called a signing entity. The signed message comprises: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 

Said terminal device is such that it comprises a signing device associated with 
the signing entity. Said signing device is interconnected with the witness device by 
interconnection means. It may especially take the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card. Said demonstrator device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. 

Signing operation 

Said terminal device is used to execute the following steps: 
• Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called the transmission 
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means of the witness device, to transmit all or part of each commitment R to the 
signing device through the interconnection means. 

• Step 2: act of challenge d 

The signing device comprises computation means, hereinafter called the 
computation means of the signing device, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute a 
binary train and extract, from this binary train, challenges d whose number is equal 
to the number of commitments R. 

• Step 3: act of response D 

The means for the reception of the challenges d of the witness device receive 
each challenge d coming from the signing device through the interconnection means. 
The means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. The 
witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, 
through the interconnection means. 

Controller Device 

The invention also relates to a controller device. The controller device may 
especially take the form of a terminal or remote server associated with a controller 
entity. The controller device is designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 

- m pairs of public values G l5 G 2 , ... G m (m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p l5 p 2 , 
... p f (f being greater than or equal to 2), unknown to the controller device and to the 
associated controller entity, 

- a public exponent v. 

Said modulus, said exponent and said values are related by relations of the type 
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Gi . Q, v = 1 . mod n or Gj = Qj V mod n . 

where Qj designates a private value, unknown to the controller device, 
associated with the public value G { . 
The exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value G; is the square gj 2 of a base number gi smaller than the f 
prime factors p l5 p 2 , ... p f . The base number g ; is such that 
the two equations: 

* 2 = gi mod n and x 2 s= - g i mod n 

cannot be resolved in x in the ring of integers modulo n and such that: 
the equation: 

x v = gj 2 mod n 
can be resolved in x in the ring of the integers modulo n. 

Case of the proof of the authenticity of an entity 

In a first alternative embodiment, the controller device according to the 
invention is designed to prove the authenticity of an entity called a demonstrator and 
an entity called a controller. 

Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity. 

Said controller device is used to execute the following steps: 
• Steps 1 and 2: act of commitment R, act of challenge d 

Said controller device also has means for the reception of all or part of the 
commitments R coming from the demonstrator device through the connection means. 

The controller device has challenge production means for the production, 
after receiving all or part of each commitment R, of the challenges d in a number 
equal to the number of commitments R, each challenge d comprising m integers dj 
hereinafter called elementary challenges. 
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The controller device also has transmission means, hereinafter called 
transmission means of the controller, to transmit the challenges d to the demonstrator 
through the connection means. 

• Steps 3 and 4: act of response D, act of checking 

The controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means,^ hereinafter called the comparison means of the 
controller device. 

First case: the demonstrator has transmitted a part of each commitment R. 

If the reception means of the demonstrator have received a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G 2 , G m , compute a reconstructed commitment R f , from each 
challenge d and each response D, this reconstructed commitment R f satisfying a 
relationship of the type 

R' = Gi dl . G 2 d2 - ... G m dm m D v mod n 
or a relationship of the type 

R' s Dv Gx dl . G 2 d2 . ... G m dm . mod n 
The comparison means of the controller device compare each reconstructed 
commitment R f with all or part of each commitment R received. 

Second case: the demonstrator has transmitted the totality of each 
commitment R 

If the transmission means of the demonstrator have transmitted the totality of 
each commitment R, the computation means and the comparison means of the 
controller device, having m public values G 1? G 2 , G m , ascertain that each 
commitment R satisfies a relationship of the type 

R s Gi dl . G 2 d2 . ... Gm dm . D v mo d n 
or a relationship of the type 
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R = DV/G X dl . G 2 d2 . ... G m dm . mod n 
Case of the proof of the integrity of a message 

In a second alternative embodiment capable of being combined with the first 
one, the controller device according to the invention is designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator. 

Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity. _ 

Said system is used to execute the following steps: 
♦ Steps 1 and 2: act of commitment R, act of challenge d 
Said controller device also has means for the reception of tokens T coming 
from the demonstrator device through the connection means. The controller device 
has challenge production means for the production, after having received the token 
T, of the challenges d in a number equal to the number of commitments R, each 
challenge d comprising m integers dj, herein after called elementary challenges. The 
controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means. 

•Steps 3 and 4: act of response D, act of checking ~ 
The controller device also comprises means for the reception of the responses D 
coming from the demonstrator device, through the connection means. Said 
controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m public values Gj, G2, G m , 
to firstly compute a reconstructed commitment R ? , from each challenge d and each 
response D, this reconstructed commitment R' satisfying a relationship of the type 

R' = Gj d l . G 2 d2 . ... G m dm m D v mod n 
or a relationship of the type 

R' s Dv/Gx dl . G 2 d2 . ... G m dm . mod n 
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then, secondly, compute a token T f by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R f . 

The controller device also has comparison means, hereinafter called the 
comparison means of the controller device, to compare the computed token T T with 
the received token T. 

Digital signature of a message and proof of its authenticity 

In a third alternative embodiment capable of being combined with either or 
both of the first two embodiments, the controller device according to the invention is 
designed to prove the authenticity of the message M by checking a signed message 
by means of an entity called a controller. 

The signed message, sent by a signing device associated with a signing entity 
having a hashing function h (message, R) comprises: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 
Checking operation 

Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a signing device associated with the signing entity. 
Said controller device receives the signed message from the signed device, through 
the connection means. 

The controller device comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device. 

• Case where the controller device has commitments R, challenges d, responses 
D 

If the controller has commitments R, challenges d, responses D, the 
computation and comparison means of the controller device ascertain that the 
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commitments R, the challenges d and the responses D satisfy relationships of the 
type 

R = Gi dl . G 2 d2 . ». G m dm . Dv mod n 

or relationships of the type: 

R = D v /Gi dl . G 2 d2 - .» G m dm . mod n 

Then the computation and comparison means of the controller device 
ascertain that the message M, the challenges d and the commitments R satisfy the 
hashing function: 

d ? = h (message, R) 

• Case where the controller device has challenges d and responses D 

If the controller device has challenges d and responses D, the computation 
means of the controller, on the basis of each challenge d and each response D, 
compute commitments R' satisfying relationships of the type 

R' = G X dl . G 2 d2 . .» G m dm . D v mod n 
or relationships of the type: 

R' = Dv/Gx dl . G 2 d2 . ... G m dl " . mo d n 

Then the computation and comparison means of the controller device 
ascertain that the message M and the challenges d satisfy the hashing function: 
d = h (message, R') 

• Case where the controller device has commitments R and responses D 

If the controller device has commitments R and responses D, the computation 
means of the controller device apply the hashing function and compute d' such that 
d = h (message, R) 

Then the computation and comparison means of the controller device 
ascertain that the commitments R, the challenges d' and the responses D satisfy 
relationships of the type 

R = Gj d ' 1 . G 2 d ' 2 . ... G m d? m . D v mod n 
or relationships of the type: 

R = DV/Gx d? l . G 2 d ' 2 . ... G m d ' m . mod n 
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Description 

The goal of GQ technology may be recalled: it is the dynamic authentication 
of entities and associated messages as well as the digital signature of messages. 

The standard version of GQ technology makes use of RSA technology. 
However, although the RSA technology truly depends on factorizing, this 
dependence is not an equivalence, far from it, as can be shown from attacks, known 
as multiplicative attacks, against various digital signature standards implementing 
RSA technology. 

In the context of GQ2 technology, the present part of the invention relates more 
specifically to the use of sets of GQ2 keys in the context of dynamic authentication 
and digital signature. The GQ2 technology does not use RSA technology. The goal 
is a twofold one: first to improve performance with respect to RSA technology and 
secondly to prevent problems inherent in RSA technology. The GQ2 private key is 
the factorization of the modulus n. Any attack on the GQ2 triplets amounts to the 
factorizing of the modulus n\ this time there is equivalence. With the GQ2 
technology, the work load is reduced both for the entity that signs or is authenticated 
and for the one that checks. Through an improved use of the problem of 
factorization, in terms of both security and performance, the GQ2 technology rivals 
the RSA technology. 

The GQ2 technology uses one or more small integers greater than 1, for 
example m small integers (m > 1) called base numbers and referenced g h Since the 
base numbers are fixed from g, to g m with m > 1, a public verification key <v, n) is 
chosen as follows. The public verification exponent v is 2 k where & is a small integer 
greater than 1 (k>2). The public modulus n is the product of at least two prime 
factors greater than the base numbers, for example / prime factors (f> 2) referenced 
by/?,-, from/?! ...p f . The /prime factors are chosen so that the public modulus n has 
the following properties with respect to each of the m base numbers from g x to g m . 
- Firstly, the equations (1) and (2) cannot be resolved in x in the ring of the integers 
modulo n y that is to say that gi and ~g t - are two non-quadratic residues (mod n). 
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* 2 55 g t (mod n) (l) 
* 2 = (mod n) (2) 
- Secondly, the equation (3) can be resolved in x in the ring of the integers modulo 
n. 

x 2 = g 2 (mod n) (3) 
Since the public verification key (v, n) is fixed according to the base numbers 
from gi to g m with m > 1, each base number gv determines a pair of values GQ2 
comprising a public value G, and a private value Q{. giving m pairs referenced G\ Q\ 
to G,„ Q m . The public value G ; is the square of the base number g t -: giving G, = gv 2 . 
The private value £>/ is one of the solutions to the equation (3) or else the inverse 
(mod n) of such a solution. 

Just as the modulus .** is broken down into f prime factors, the ring of the 
integers modulo n are broken down into / Galois fields, from CG^O to CG(/?y). Here 
are the projections of the equations (1), (2) and (3) in CG^). 

x 2 = gi (mod Pj ) (La) 

x 2 s-g, (mod pj) (2.a) 

x 2 * ^g 2 (mod Pj ) . (3.a) 
Each private value Q t can be represented uniquely by / private components, one 
per prime factor: Q u = Q { (mod p^. Each private component Q- X j is a solution to the 
equation (3. a) or else the inverse (mod pj) of such a solution. After all the possible 
solutions to each equation (3. a) have been computed, the Chinese remainder 
technique sets up all the possible values for each private value Q x on the basis of/ 
components of Q iX to Qif. Q, = Chinese remainders (£?/,i> Qi,2, --- Quj) so as to obtain 
all the possible solutions to the equation (3). 

The following is the Chinese remainder technique: let there be two positive 
integers that are mutually prime numbers a and b such that 0<a<b 9 and two 
components X a from 0 to a-l and X b from 0 to 6—1. It is required to determine 
X= Chinese remainders (X a , X b )> namely the unique number X from 0 to a.b-l such 
that X a = X (mod a) and X b ^^(mod b). The following is the Chinese remainder 
parameter: a = {b (mod a)}~ x (mod a). The following is the Chinese remainder 
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operation: e = X b (mod a); 8 = X a -e; if 8 is negative, replace 8 by5+a; y= a . 8 
(mod a);X=y- b + X b . 

When the prime factors are arranged in rising order, from the smallest p l to the 
greater p j9 the Chinese remainder parameters can be the following (there are^l of 
them, namely one less than prime factors). The first Chinese remainder parameter is 
a = {P2 (mod .pi)}" 1 (mod p{). The second Chinese remainder parameter is j3= {p\.p% 
(mod p^)Y X (mod p 3 ). The i—th Chinese remainder parameter is X = {pi-Pi- ■•• Pr~\ 
(mod/?/)}" 1 (mod /?,). And so on and so forth. Finally, in f—\ Chinese remainder 
operations, a first result (mod p 2 times p{) is obtained with the first parameter and 
then a second result (mod p\P2 times p 3 ) with the second parameter and so on and so 
forth until a result (mod p\. ... pf^\ times pj), namely (mod n). 

There are several possible depictions of the private key GQ2, which expresses 
the polymorphic nature of the private key GQ2. The various depictions prove to 
be equivalent: they all amount to knowledge of the factorization of the module n 
which is the true private GQ2 key. If the depiction truly affects the behavior of the 
signing entity or self-authenticating entity, it does not affect the behavior of the 
controller entity . 

Here are the main three possible depictions of the GQ2 private key. 

1) The standard representation in GO technology consists of the storage of m 
private values Qf and the public verification key <v, n>\ in GQ2, this depiction is 
rivalled by the following two. 2) The optimal representation in terms of work load 
consists in storing the public exponent v, the / prime factors pp m.f private 
components Qjj and f-l parameters of the Chinese remainders. 3) The optimal 
representation in terms of private key size consists in storing the public exponent v, 
the m basic numbers gf and the / prime factors pj 9 then in starting each use by setting 
up either m private values Qi and the module n to return to the first depiction or else 
w./private components Qfj and f-\ parameters of the Chinese remainders to return to 
the second one. 
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The signing or self-authenticating entities can all use the same base numbers. 
Unless otherwise indicated, the m base numbers from g j to g m can then 
advantageously be the m first prime numbers; 

Because the security of the dynamic authentication mechanism or digital 
signature mechanism is equivalent to knowledge of a breakdown of the modulus, the 
GQ2 technology cannot be used to simply distinguish two entities using the same 
modulus. Generally, each entity that authenticates itself or signs has its own GQ2 
modulus. However, it is possible to specify GQ2 moduli with four prime factors, 
two of which are known by an entity and the other two by another entity. 

Here is a first set of GQ2 keys with k = 6, giving v = 64, m = 3, giving three 
base: gi = 3, g 2 = 5 et g^ = 7, and f= 3, namely a modulus with three prime factors: 
two congruent to 3 (mod 4) and one to 5 (mod 8). It must be noted that g — 2 is 
incompatible with a prime factor congruent to 5 (mod 8). 
Pi = 03CD2F4F21E0EAD60266D5CFCEBB6954683493E2E833 
p 2 = 0583B097E8D8D777BAB3874F2E76659BB614F985EC1B 
p 3 = 0C363CD93D6B3FEC78EE13D7BE9D84354B8FDD6DA1FD 
n= Pl .p 2 .p3 = FFFF81CEA149DCF2F72EB449C5724742FE2A3630D9 
02CC00EAFEE1B957F3BDC49BE9CBD4D94467B72AF28CFBB26144 
CDF4BBDBA3C97578E29CC9BBEE8FB6DDDD 
Q u = 0279C60D216696CD6F7526E23512DAE090CFF879FDDE 
0 2i , = 7C977FC38F8413A284E9CE4EDEF4AEF35BF7793B89 
Q 3J = 6FB3B9CO5A03D7CADA9A3425571EF5ECC54D7A7B6F 
g 1)2 = 0388EC6AA1E87613D832E2B80E5AE8C1DF2E74BFF502 
Qi,? = 04792CE70284D16E9A158C688A7B3FEAF9C40056469E 

03.2 = FDC4A8E53E185A4E A793E93BEE5C636DA731BDCA4E 
g, )3 = 07BC1AB048A2EAFDAB59BD40CCF2F657AD8A6B573BDE 

02.3 = 0AE8551E1 16A3AC089566DFDB3AE003CF174FC4E4877 
03.3 = 01682D490041913A4EA5B80D16B685E4A6DD88070501 

Qi = D7E1CAF28192CED6549FF457708D50A7481572DD5F2C335D8 
C69E22521B510B64454FB7A19AEC8D06985558E764C6991B05FC2A 
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C74D9743435AB4D7CF0FF6557 

Q 2 = CB1ED6B1DD649B89B9638DC33876C98AC7AF689E9D1359E4 
DB 1 7563B9B3DC582D527 1 949F3DB A5 A70C 1 08F56 1 A274405 A5CB8 
82288273 ADE67353A5BC3 1 6C093 
5 0 3 = 09AA6F4930E5 1 A70CCDFA77442B 1 0770DD1CD77490E3398A 
AD9DC50249C343 1 291 5E559 1 7A 1 ED4D83 AA3D607E3EB5C8B 197 
697238537FE7A0195C5E8373EB74D 

The following is a second set of GQ2 keys, with k = 9, that is v = 5 12, m = 2, that is 
two base numbers: g\=2 and g 2 = 3, and /= 3, giving a modulus with three prime 
10 factors congruent to 3 (mod 4). 

p x = 03852103E40CD4F06FA7BAA9CC8D5BCE96E3984570CB 

p 2 = 062AC9EC42AA3E688DC2BC871C8315CB939089B61DD7 

p 3 = 0BCADEC219F1DFBB8AB5FE808A0FFCB53458284ED8E3 

n=P\ .P2-P3 = FFFF5401ECD9E537F167A80C0A9111986F7A8EBA4D 

15 6698AD68FF670DE5D9D77DFF00716DC7539F7CBBCF969E73AOC49 

76 1B276A8E6B6977A2 1D5 , 669D039F 1D7 

Q hX = 0260BC7243C22450D566B5C6EF74AA29F2B927AF68E1 
Q 2A = 0326C12FC7991ECDC9BB8D7C1C4501BE1BAE9485300E 

01.2 = 02DOB4CC95A2DD435DOE22BFBB29C59418306F6CDOOA 
20 £> 2>2 = 045ECB881387582E7C556887784D2671CA118E22FCF2 

0 1;3 = B0C2B1F808D24F6376E3A534EB555EF54E6AEF5982 

02.3 = 0AB9F81DF462F58A52D937E6D81F48FFA4A87A9935AB 

0, = 27F7B9FC82C19ACAE47F3FE9560C3536A7E90F8C3C51E13C 
35F32FD8C6823DF753685DD63555D2146FCDB9B28DA367327DD6 
25 EDDA092D0CF108D0AB708405DA46 

02 = 230D0B9595E5AD388F1F447A69918905EBFB05910582E5BA64 
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9C94B0B2661E49DF3C9B42FEF1F37A7909B1C2DD54113ACF87C6 
Fl 1F19874DE7DC5D1DF2A9252D 
Dynamic authentication 

The dynamic authentication mechanism is designed to prove, to an entity 
known as a controller, the authenticity of another entity known as a demonstrator 
as well as the authenticity of a possible associated message M, so that the controller 
can be sure that it is truly the demonstrator and, as the case may be, only the 
demonstrator and that the demonstrator is truly speaking of the same message M 
The associated message Mis optional. This means that it may be vacant. 

The dynamic authentication mechanism is a sequence of four acts: an act of 
commitment, and act of challenge, and act of response and an act of checking. The 
demonstrator fulfills the acts of commitment and response. The controller fulfills the 
acts of challenge and control. 

Within the demonstrator, it is possible to isolate a witness so as to isolate 
the most sensitive parameters and functions of the demonstrator, namely the 
production of commitments and responses. The witness has the parameter k and the 
private key GQ2, namely the factorization of the module n according to one of the 
three depictions referred to here above: • the / prime factors and the m base 
numbers, • the m.f private component, the / prime factors and the f-l parameters of 
the Chinese remainders, • the m private values and the modulus n. 

The witness may correspond to a partial embodiment, for example, « a chip 
card connected to a PC forming the entire demonstrator or again, « specially 
protected programs within a PC, or again, ♦ specially protected programs within a 
smart card. The witness thus isolated is similar to the witness defined here below 
within the signing party. At each execution of the mechanism, the witness produces 
one or more commitments R and then as many responses D to as many challenges d. 
Each set {R, d t D} is a GQ2 triplet. 

Apart from comprising the witness, the demonstrator also has, if necessary, a 
hashing function and a message M. 
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The controller has the modulus n and the parameters k and w; if necessary, it 
also has the same hashing function and a message M. The controller is capable of 
reconstituting a commitment R' from any challenge d and any response £>. The 
parameters k and m inform the controller. Failing any indication to the contrary, the 
m base numbers from gj to g m are the m first prime numbers. Each challenge d must 
have m elementary challenges referenced from dj to d m : one per base number. This 
elementary challenge from dj to d m may take a value of 0 to 2 k "l-l (the values of 
v/2 to v-1 are not used). Typically, each challenge is encoded by m times k-l bits 
(and not by m times k bits). For example, k = 6 and m = 3 and the base numbers 3, 5 
and 7, each challenge has 15 bits transmitted on two bytes; with k = 9, m = 2 and the 
base numbers 2 and 3, each challenge has 16 bits transmitted on two bytes. When 
the (k-l).m possible challenges are also possible, the value (k-l)jn determines the 
security provided by each GQ2 triplet: an impostor who, by definition, does not 
know the factorization of the module n has exactly one chance of success in 
2(k-l)^i When (k-l).m is equal to 15 to 20, one triplet is enough to reasonably 
provide for dynamic authentication. To achieve any security level, it is possible to 
produce triplets in parallel. It is also possible to produce sequentially, namely to 
repeat the execution of the mechanism. 

1) The act of commitment comprises the following operations. 

When the witness has m private values from Qj to Q m and the modulus n, it 
draws one or more random values r (0 < r < ri) at random and privately; then by k 
successive squaring (mod ri) operations, it converts each random value r into a 
commitment R. 

R = r v (mod n) 
Here is an example with the first set of keys with k = 6. 
r = B8AD426C1A10165E94B894AC2437C1B1797EF562CFA53A4AF8 
43 1 3 1 FF 1 C89CFDA 1312071 947 1 0EF9C0 1 0E8F09C60D98 15121981260 
919967C3E2FB4B4566088E 

R - FFDD736B666F41FB771776D9D50DB7CDF03F3D976471B25C56 
D3AF07BE692CB1FE4EE70FA77032BECD8411B813B4C21210C6B04 
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49CC4292E5DD2BDB00828 AF 1 8 

When the witness has / prime factors from p j to py and m.f private 
components Qjj, it draws one or more collections of / random values at random and 
privately: each collection has one random value r/ per prime factor pi (0 < r; < /?;); 
then by k successive operations of squaring (mod /?;), it converts each random value 
17 into a component of commitment Rf. 

Ri = i"i v (mod Pi) 

Here is an example with the second set of keys with k=9. 

r } = B0418EABEBADF0553A28903F74472CD49DD8C82D86 

Ri = 022B365F0BEA8E157E94A9DEB0512827FFD5149880F1 
r 2 = 75A8DA8FE0E60BD55D28A218E31347732339F1D667 
R 2 - 057 E 43A242C4S3FC20DEEF291C774CF1B30F0163DEC2 
r 3 = 0D74D2BDA5302CF8BE2F6D406249D148C6960A7D27 
R 3 - 06 E 14C8FC4DD312BA3B475F1F40CF01ACE2A88D5BB3C 

For each collection of / commitment components, the witness sets up a 
commitment according to the technique of Chinese remainders. There are as many 
commitments as there are collections of random values. 

R = Chinese remainders (R 7, R 2 , RJ) 

R - 28AA7F12259BFBA81368EB49C93EEAB3F3EC6BF73B0EBD7 

D3FC8395 CF A 1 AD7FC0F9D AC 1 69 A4F6F 1 C46FB4C345 8D 1 E3 7C9 

9 1 23B56446F6C928736B 1 7B4BA4A529 

In both cases, the demonstrator sends the controller all or part of each 
commitment R, or at least a hashing code H obtained by hashing each commitment R 
and one message Af. 

2) The act of challenge consists in drawing at random one or more 
challenges d each consisting of m elementary challenges dj I d2 I ... / d m \ each 
elementary challenge dj takes one of the values from 0 to v/2-1. 

d = dj I d2 I ... / d m 
Here is an example for the first set of keys with k = 6 and m = 3. 
dj = 101 10 = 22 = '16'; d 2 = 001 1 1 - 7; d 3 = 00010 = 2 
</=0 I I dj I I d 2 I I d 3 = 0101 1000 1 1100010 = 58 E2 
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Here is an example for the second set of keys with k = 9 and m = 2. 

d=dj | | ^2 = 5 ^ E2, that is, in decimal notation 88 and 226 
The controller sends the demonstrator each challenge d. 
3) The act of response has the following operations. 

When the witness has m private values from Qj to Q m and the modulus n 9 it 
computes one or more responses D in using each random value r of the act of 
commitment and the private values according to the elementary challenges. 
X s Q } dl .Q 2 d2 ~.Qj m {™odn) 
D = r.X (mod n) 
Here is an example for the first set of keys. 

D = FF257422ECD3C7A03706B9A7B28EE3FC3A4E974AEDCDF386 
5EEF38760B859FDB5333E904BBDD37B097A989F69085FE8EF6480 
A2C6 A290273 479FEC9 1 7 1 990 A 1 7 

When the witness has / prime factors from pi to pf and m.f private 
components Qij> it computes one or more collections of / response components in 
using each collection of random values of the act of commitment: each collection of 
response components comprises one component per prime factor. 

Xi ^Qj d} .Q 2 d2 ^Q m dm fl (mod Pl ) 
D; = rj.Xj (mod pi) 

Here is an example for the second set of keys. 

O2660ADF3C73B6DC15E196152322DDE8EB5B35775E38 
D 2 = r 2 . Q^.Qzf- (modp,) = 

04C15028E5FD1 175724376C1 1BE77052205F7C62AE3B 
D 3 = r 3 .Q l / l .Q 23 d2 (modp 3 ) = 

0903D20DOC306C8EDA9D8FB5B3BEB55E061AB39CCF52 

For each collection of response components, the witness draws up a response 

according to the Chinese remainder technique. There are as many responses as there 

are challenges. 

D = Chinese reminders (D j, D2, DJ) 
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D = 85C3B00296426E97897F73C7DC6341FB8FFE6E879AE12EF1F36 
4CBB55BC44DEC437208CF530F8402BD9C51 1F5FB3B3A309257A00 
1 95 A7305C6FF3323F72DC 1 AB 

In both cases, the demonstrator sends each response D to the controller. 
5 4) The checking act consists in ascertaining that each triplet {R, d } D} 

verifies an equation of the following type for a non-zero value , 
RY[Gf =D 2 ( mod „) or else RsD 2 Y[Q d (mod ri) 

( =1 i =1 

or else in sefting_up_each commitment: none should be zero . 

R'=D 2 /JjGf (mod n) or else K=D JjGf (mod n) 

10 H necessary, the controller men computes a nasning code H* in hashing each 

re-established commitment °' and a message M\ The dynamic authentication is 
successful when the controller thus retrieves what it had received at the end of the 
first act of commitment, namely all or part of each commitment 7?, or else the 
hashing code H. 

15 For example, a sequence of elementary operations converts the response D 

into a commitment R\ The sequence has k squares (mod n) separated by k-l 
divisions or multiplications (mod n) by base numbers. For the z-th division or 
multiplication, which is performed between the z-th square and the z'+lst square, the 
z-th bit of the elementary challenge df indicates that it is necessary to use gj 9 the z-th 

20 bit of the elementary challenge d2 indicates whether it is necessary to use g2> ... up to 
the /-th bit of the elementary challenge d m which indicates that it is necessary to use 

Here is an example for the first set of keys. 

D 7 (mod/x) = FD12E8E1F1370AEC9C7BA2E05C80AD2B692D341D46F3 
25 2B93948715491F0EB091B7606CA1E744E0688367D7BB998F7B73D5F7 
FDA95D5BD6347DC8B978CA2 17733 

3 . D 2 (mod n) - F739B70891 1 166DFE715800D8A9D78FC3F332FF622D 

3EAB8E7977C68AD44962BEE4DAE3C0345D1CB34526D3B67EBE8BF 

987041B4852890D83FC6B48D3EF6A9DF 
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3 2 . D* (mod n) = 682A7AF280C49FE230BEE354BF6FFB30B7519E3C8 
92DD07E5 A78 1 225BBD33920E5 ADABBCD7284966D7 1141 EAA 1 7 AF 
8826635790743EA7D9A15A33ACC7491D4A7 

3' . D 8 (mod 73) = BE9D828989A2C 1 84E34B A8FEOF3 848 1 1 642B7B548F 
870699E7869F8ED85 1 FC3DB383OB2400C5 1 65 1 1 A0C28AFDD2 1 0EC3 
939E69D4 1 3F0BABC6DEC44 1974B 1 A29 1 

3 s . 5 . D s (mod n) = 2B40122E225CD858B26D27B768632923F2BBE5 
DB 1 5CA9EFA77EFA667E554A02 AD 1 Al E4F6B59BD9E 1 AE4A53 7D 
4AC1E89C2235C363830EBF4DB42CEA3DA98CFE00 
3 10 . 5 : . D' 6 (mod n) = BDD3B34C90ABBC870C604E27E7F2E9DB2D383 
68EA46C93 1 C66F6C7509B 1 1 8E3 C 1 628 1 1 A98 1 69C30D4DEF768397DD 
B8F6526B67142J8DEB627E11FACA4B9DB268 

3" . 5 5 . 7 . £> 16 (mod n) = DBFA7F40D338DE4FBA73D42DBF427BBF195 
C13D02AB0FA5F8C8DDB5025E342823 1 1CEF80BACDCE5D0C433444 
A2 AF2B 1 53 1 8C3 6FE2 AE02F3C8CB2563 7C9AD7 1 2F 
3 a . 5 6 . 7 2 . If 2 (mod n) =.C60CA9C4A1 1F8AA89D9242CE717E3DC6C1 
A95D5D09A2278F8FEE 1 DFD94EE84DO9DOO0EA8633B53C4 A0E7FOA 
EECB70509667 A3CB052029C94EDF276 1 1 FAE286A7 
3 a . 5 7 . 7 2 . D* 1 (mod n) = DE40CB6B41C01E722E4F3 12AE7205F18CDD 
0303EA52261CB0EA9F0C7E0CD5EC53D42E5CB645B6BB1A3B00C77 
886F4AC5222F9C863DACA440CF5F1A8E374807AC 
3** . 5 U .T.D 64 (mod n), namely 3 2C . 5 E . T . D*° with the exponents 
hexadecimal notation = FFDD736B666F41FB771776D9D50DB7CDF03F3D9 
7647 1B25C56D3 AF07BE692CB 1 FE4EE70FA77032BECD84 1 1 B8 1 3B4C 
2121 OC6B0449CC4292E5DD2BDB00828 API 8 
We find the commitment R. The authentication is successful. 
Here is an example for the second set of keys. 

D 2 (mod n) = C66E585D8F132F7067617BC6DOOBA699ABD74FB9D13E 
24E6A6692CC8D2FC7B57352D66D34F5273C13F20E3FAA228D70AEC 
693F8395ACEF9206B172A8A2C2CCBB 
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3 . D 2 (mod n) = 534C61 14D385C3E15355233C5B00DO9C2490DIB8D8E 
D3D59213CB83EAD41C309A187519E5F501C4A45C37EB2FF38FBF20 
1 D6D 1 3 8F3999FC 1 D06A2B2647D48283 

3 2 . D* (mod n) = A9DC8DEA867697E76B4C18527DFFC49F4658473D03 
4EC1DDE0EB21F6F65978BE477C4231AC9B1EBD93D5D49422408E47 
1 59 19023B 1 6BC3C6C46A92BBD326AADF 

2 . 3 3 . D 4 (mod n) = FB2D57796039DFC4AF9I99CAD44B66F257A1FF 
3F2BA4C12BOA8496A0148B4DFBAFE838EOB5A7D9FB4394379D72A 
1 07E45C5 1FCDB7462D03 A35002D29823 A2BB5 

2 : . 3 6 . D l (mod n) = 4C210F96FF6C77541910623B1E49533206DFB9E91 
652 1 F305F 1 2C5DB054D4E 1 BF3 A3 7F A293 854DF02B49283B6DE5E5D 
82ACB23DAF 1 A0D5 A72 1 A 1 890D03 A00BD8 

2 J . 3 7 . D % (mod n) = E4632EC4FE4565FC4B3 126B15ADBF996149F2D 

BB42F65D911D38519I0FE7EA53DAEA7EE7BA8FE9D081DB78B249 

B 1 B 1 88806 1 6B90D4E280F564E49B270AE023 88 

2* . 3" . D' 6 (mod n) = ED3 DDC7 1 6AE3 D 1 E A74C5 AF93 5DE8 1 4BCC 

2C78B12A6BB29FA542F9981C5D954F53D153B9F0198BA82690EF 

665C 1 7C399607DEA54E2 1 8C2C0 1 A890D422EDA 1 6FA3 

2 5 . 3 M . D' 6 (mod n) = DA7C64E0E8EDBE9CF823B71AB13F17E1 161487 

6B000FBB473F5FCBF5A5D8D26C7B2A05D03BDDD588 1 64E562D0F5 

7AE94AE0AD3F35C61CO892F4C91DCOBO8ED6F 

2'° . 3 2 ' . D n (mod n) = 6ED6AFC5A87D2DD1 1 7BOD89072C99FB9DC9 

5D558F65B6A1967E6207D4ADBBA32001D3828A35069B256A07C3D 

722F1 7DA30088E6E739FBC4 1 9FD7282D1 6CD6542 

2" . 3 28 . D" (mod n) = DDAD5F8B50FA5BA22F61B120E5933F73B92 

BAAB 1 ECB6D43 2CFCC40FA95B77464003 A705 1 46A0D3 64AD40F8 

7AE45E2FB4601 1 1CDCE73F78833FAE505A2D9ACA84 

2" . 3 56 . D 64 (mod n) = A466DOCB17614EFD961000BD9EABF4F021 

36F8307 1 0 1 882BC 1 764DB AACB7 1 5EFBF5D8309 AE00 1 EB5DEDA 

8F000E44B3D4578E5CA55797FD4BD1F8E919BE787BDO 

2" . 3" ; . D m (mod n) = 925BOEDF5047EFEC5AFABDC03A8309 19761 
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B8FBDD2BF934E2A8A31E29B976274D513007EF1269E4638B4F65F 

8FDEC740778BDC178AD7AF2968689B930D5A2359 

2" . 3'° . D 128 (mod n) = B71 1D89C03FDEA8D1F889134A4F809B3F2D 

8207F2AD8213D169F2E99ECEC4FE080389O0FOC203B55EE4F4C8O3 

BFB91 2A04F 1 1 D9DB9D07602 1 764BC4F57D47834 

2* 9 . 3^ 6 . D 256 (mod n) - 41A83F1 19FFE4A2F4AC7E5597A5D0BEB4D4C 

08D19E597FD034FE720235894363A19D6BC5AF323D24B1B7FCFD8D 

FCC62S02 1 B4648D7EF757 A3 E46 1 EFOCFFOEA 1 3 

2 m . 3 452 . D 512 (mod n) that i S 4" . 9™ . D 512 (mod n) - 28AA7F12259BFBA8 
I368EB49C93EEAB3F3EC6BF73B0EBD7D3FC8395CFA1AD7FC0F9D 
ACI69A4F6F1C46FB4C3458D1E37C99123B56446F6C928736B17B4BA 
4A529 

We find the commitment R. The authentication is successful. 
Digital signature 

The digital signing mechanism enables an entity called a signing party to 
produce signed messages and an entity called a controller to ascertain signed 
messages. The message Mis any binary sequence: it may be vacant. The message 
Mis signed by adding a signature appendix to it. This signature appendix comprises 
one or more commitments and/or challenges as well as the corresponding responses. 

The controller has the same hashing function, the parameters k and m and the 
module n. The parameters k and m provide information to the controller. Firstly, 
each elementary challenge from dj to d m must take a value from 0 to 2^.1-1 (the 
values of v/2 to v-1 are not used). Secondly, each challenge d must comprise m 
elementary challenges referenced from dj to d m , namely as many of them as base 
numbers. Furthermore, failing indications to the contrary, the m base numbers from 
g] to g m are the m first prime numbers. With (k-l).m equal to 15 to 20, it is possible 
to sign with four triplets GQ2 produced in parallel; with (k~\),m equal to 60 or more, 
it is possible to sign with a single triplet GQ2. For example, with k = 9 and m = 8, a 
single triplet GQ2 is enough; each challenge has eight bytes and the base numbers 
are 2,3,5,7, 11, 13, 17 and 19. 
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The signing operation is a sequence of three acts: an act of commitment, an 
act of challenge and an act of response. Each act produces one or more GQ2 triplets 
each comprising: a commitment R (■£ 0), a challenge d consisting of m elementary 
challenges referenced dj, d2> d m and a response D 0). 

The signing party has a hashing function, the parameter k and the GQ2 
private key, namely the factorization of the modulus n according to one of the three 
depictions referred to here above. Within the signing party, it is possible to isolate 
a witness that performs the the acts of commitment and response, so as to isolate 
the functions and parameters most sensitive to the demonstrator. To compute 
commitments and responses, the witness has the parameter k and the GQ2 private 
key, namely the factorization of the modulus n according to one of the three 
depictions referred to here above. The witness thus isolated is similar to the witness 
defined within the demonstrator. It may correspond to a particular embodiment, for 
example, « a chip card connected to a PC forming the entire signing party, or again, « 
programs particularly protected within a PC, or again, « programs particularly 
protected within a chip card. 

1) The act of commitment comprises the following operations: 

When the witness has m private values from Qj to Q m and the modulus n, it 
randomly and privately draws one or more random values r (0 < r < w); then, by k 
successful squaring (mod ri) operations, it converts each random value r into a 
commitment R. 

R { = r v (mod ri) 

When the witness has f prime factors from p j to p-f and m.f private 
components Qy, it privately and randomly draws one or more collections of/random 
values: each collection has one random value r\ per prime factor pi (0 < r; < pf)\ 
then, by k successive squaring (mod pj) operations, it converts each random value r\ 
into a component of commitment R\. 

Ri^r? (mod Pi ) 
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For each collection of f commitment components, the witness sets up a 
commitment according to the Chinese remainder technique. There are as many 
commitments as there are collections of random values. 

R = Chinese remainders (R j, R2, Rj) 

2) The act of challenge consists in hashing all the commitments R and the 
message to be signed Mto obtain a hashing code from which the signing party forms 
one or more challenges each comprising m elementary challenges; each elementary 
challenge takes a value from 0 to v/2-1; for example with k = 9 and m = 8. Each 
challenge has eight bytes. There are as many challenges as there are commitments. 

d = dj I d2 J ... / d m , extracted from the result Hash(M, R) 

3) The act of response comprises the following operations. 

When the witness has m private values from Qj to Q m and the modulus n, it 
computes one or more responses D using each random value r of the act of 
commitment and the private values according to the elementary challenges. 

x./ = ei^.e 2 ^---e/ m (modn) 

D / = r. /X. / (mod n) 
When the witness u as / prime factors from p j to and m.f private 
components Qy, it computes one or more collections of / response components in 
using each collection of random values of the act of commitment : each collection of 
response components comprises one component per prime factor. 

Xi - eA/. Qi^i ■» Qm dn \i (mod a) 
Dj = rj.Xi (mod p,) 

For each collection of response components, the witness sets up a response 
according to the Chinese remainders technique. There are as many responses as 
there are challenges. 

D = Chinese remainders (D 7, Z>2> — > Dj) 
The signing party signs the message M in adding to it a signature appendix 
comprising: 

- either each GQ2 triplet, namely each commitment 7?, each challenge d and 
each response D, 
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- or else each commitment R and each corresponding response Z), 

- or else each challenge d and each corresponding response D. 

The running of the verification operation depends on the contents of the 
signature appendix. There are three possible cases. 

Should the appendix comprise one or more triplets, the checking operation 
has two independent processes for which the chronology is not important. The 
controller accepts the signed message if and only if the two following conditions are 
fulfilled. 

Firstly, each triplet must be consistent (an appropriate relationship for the 
following type has to be verified) and acceptable (the comparison has to be done on a 
non-zero value Y 

RjjGf^D 2 ' ( mo d«)orel S e^ 2t n^ (mod b) 

For example, the response D is converted by a^sequence of elementary 
operations: k squared (mod n) separated by k-l multiplication or division operations 
(mod ri) by base numbers. For the z'-th multiplication or division which is performed 
between the /-th square and the /+lst square, the /-th bit of the elementary challenge 
dj indicates whether it is necessary to use gj, the z-th bit of the elementary challenge 
d2 indicates whether it is necessary to use g2, ... up to the z-th bit of the elementary 
challenge d m which indicates if it is necessary to use g m . It is thus necessary to 
retrieve each commitment R present in the signature appendix. 

Furthermore, the triplet or triplets must be linked to the message M. By 
hashing all the commitments R and the message M, a hashing code is obtained from 
which each challenge d must be recovered. 

d = dj I d2 1 ... jd m identical to those extracted from the result Hash(M, R) 

Should the appendix have no challenge, the checking operation starts with a 
reconstruction of one or more challenges d by hashing all the commitments R and 
the message M. 

D' = d f i I d*2 I ... / d' m , extracted from the result Hash(M, R) 
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Then, the controller accepts the signed message if and only if each triplet is 
consistent (an appropriate relationship of the following type is verified) and 
acceptable (the comparison is done on a non-zero value). 

JtflGf'=D* (mod k) or else ^^-n^ (mod n) 
Should the appendix comprise no commitment, the checking operation 
starts by reconstructing one or more commitments R } according to one of the 
following two formulae, namely the one that is appropriate. No re-established 

commitment should be zero. 

R=D~ /[ [Gf' (mod r) or else K=Dr \ [G?> ( mod n ) 

Then, the controller must hash" all the commitments k' and the message Mso 
as to reconstitute each challenge d. 

d — dj I d2 1 ... / d m , identical to those extracted from the result Hash(M, R) 

The controller accepts the signed message if and only if each reconstituted 
challenge is identical to the corresponding challenge in the appendix. 

In the present application, it has been shown that there are pairs of private 
values and public values Q and G respectively used to implement the method, system 
and device according to the invention, designed to prove the authenticity of an entity 
and/or integrity and/or authenticity of a message. 

In the pending application filed on the same day as the present application by 
France Telecom, TDF and the firm Math RiZK, whose inventors are Louis Guillou 
and Jean- Jacques Quisquater, a method has been described for the production of sets 
of GQ2 keys namely moduli n and pairs of public and private values G and Q 
respectively when the exponent v is equal to 2^. This patent application is 
incorporated herein by reference. 
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CLAIMS 

1. Method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of private values Q l5 Q 2 , ... Q m and public values G u G 2 , ... G m 
(m being greater than or equal to 1), 

- a public modulus n constituted by the product of f prime factors p u p 2 , ... Pf 
(f being greater than or equal to 2), 

- a public exponent v; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gs . Qi v = 1 . mod n or Gj = Qj v mod n; 

said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G ; being the square g s 2 of a base number g ; smaller than the f 
prime factors p 1? p 2 , ... p f , the base number gj being such that: 
the two equations: 

x 2 = gj mod n and x 2 = - gj mod n 

cannot be resolved in x in the ring of integers modulo n 
and such that: 

the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f 
prime factors Pi and/or parameters of the Chinese remainders of the prime factors 
and/or the public modulus n and/or the m private values Q { and/or the f.m 
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components j (Q s ^ = Q ; mod pj) of the private values Q ; and of the public 
exponent v; 

- the witness computes commitments R in the ring of integers modulo n; each 
commitment being computed: 

• either by performinp operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri = r s v mod p s 

where r { is a random value associated with the prime number pj such that 0 < r; < p i; 
each n belonging to a collection of random values {rj , r 2 , ... r f } 3 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising 
m integers dj hereinafter called elementary challenges; the witness, on the basis of 
each challenge d, computes a response D, 

• either by performing operations of the type: 

D = - . Qi dl . Q 2 d2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di = r { . Q M dl . Q l2 d2 . ... Q. m dm mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

2. Method according to claim 1, designed to prove the authenticity of an 
entity 'known as a demonstrator to an entity known as the controller, said 
demonstrator entity comprising the witness; 

said demonstrator and controller entities executing the following steps: 
w Step 1: act of commitment R 
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- at each call, the witness computes each commitment R by applying the 
process specified according to claim 1 , 

- the demonstrator sending the controller all or part of each commitment R, 

• Step 2: act of challenge d 

5 - the controller, after having received all or part of each commitment R, 

produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator, 

• Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
10 process specified in claim 1, 

• Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

case where the demonstrator has transmitted a part of each commitment R 

if the demonstrator has transmitted a part of each commitment R, the controller, 
15 having the m public values Gj, G 2 , C^, computes a reconstructed commitment 

R', from each challenge d and each response D, this reconstructed commitment R* 

satisfying a relationship of the type 

R T = G 1 dl . G 2 d2 . ... G m dm . D v mod n 

or a relationship of the type 
20 R' = DV/Gi dl . G 2 d2 . ... G m dm . mod n 

the controller ascertains that each reconstructed commitment R' reproduces all or 

part of each commitment R that has been transmitted to it. 

Case where the demonstrator has transmitted the totality of each commitment 
R 

25 if the demonstrator has transmitted the totality of each commitment R, the controller, 
having the m public values Gj, G 2 , G m , ascertains that each commitment R 
satisfies a relationship of the type 

R = Gj dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

30 R s= D v /Gj di . G 2 d2 . ... G m dm . mod n 
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3. Method according to claim 1, designed to provide proof to an entity, 
known as the controller entity, of the integrity of a message M associated with an 
entity called a demonstrator entity, said demonstrator entity comprising the witness; 
said demonstrator and controller entities executing the following steps: 
5 • Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1 , 

• Step 2: act of challenge d 

- the demonstrator applies a hashing function h whose arguments are the message M 
10 and all or part of each commitment R to compute at least one token T, 

- the demonstrator sends the token T to the controller, 

- the controller, after having received a token T, produces challenges d equal in 
number to the number of commitments R and sends the challenges d to the 
demonstrator, 

15 • Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1 , 

• Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

20 - the controller, having the m public values Gi, G2> G m , computes a 
reconstructed commitment R\ from each challenge d and each response D, this 
reconstructed commitment R' satisfying a relationship of the type 
R' = Gx dl . G 2 d2 . ... G m dm m D v mod n 
or a relationship of the type 

25 R' = Dv/d dl . G 2 d2 . ... G m dm . mod n 

- then the controller applies the hashing function h whose arguments are the message 
M and all or part of each reconstructed commitment R f to reconstruct the token T\ 

- then the controller ascertains that the token T 1 is identical to the token T 
transmitted. 
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4. Method according to claim 1, designed to produce the digital signature of 
a message M by an entity known as the signing entity, said signing entity comprising 
the witness; 
Signing operation 

said signing entity executes a signing operation in order to obtain a signed message 
comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said signing entity executes the signing operation by implementing the following 
steps: 

• Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 

• Step 2: act of challenge d 

- the signing party applies a hashing function h whose arguments are the message M 
and each commitment R to obtain a binary train, 

- from this binary train, the signing party extracts challenges d whose number is 
equal to the number of commitments R, 

•Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1. 

5. Method according to claim 4, designed to prove the authenticity of the 
message M by checking the signed message through an entity called a controller; 
Checking operation 

- said controller entity having the signed message executes a checking operation by 
proceeding as follows: 

• case where the controller has commitments R, challenges d, responses D 

if the controller has commitments R, challenges d, responses D, 
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• • the controller ascertains that the commitments R, the challenges d and the 
responses D satisfy relationships of the type 

R = G 1 dl . g 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R = DV/d dl . g 2 d2 . ... G m dm # mod n 

• • the controller ascertains that the message M, the challenges d and the 
commitments R satisfy the hashing function: 

d = h (message, R) 

• case where the controller has challenges d and responses D 
if the controller has challenges d and responses D, 

• • the controller reconstructs, on the basis of each challenge d and each 
response D, commitments R' satisfying relationships of the type 

R' = G X dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R' = D v /Gj dl . G 2 d2 . ... Gm dm . mod n 

• • the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (messa^ R') 

• case where the controller has commitments R and responses D 
if the controller has commitments R and responses D, 

• • the controller applies the hashing function and reconstructs d' 

d 1 = h (message, R) 

• • the controller device ascertains that the commitments R, the challenges d' 
and the responses D satisfy relationships of the type 

R = G 1 d'l . G 2 d'2 9 ### Gm d'm # D v mod n 
or relationships of the type: 

R = DV/d d'l . G 2 d'2 # _ Gjn d'm m mod n 

6. A system designed to prove, to a controller server, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 
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by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of private values Q l5 Q 2i ... Q m and public values G u G 2 , ... G m 
(m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p l5 p 2 , 
... p f (f being greater than or equal to 2), 

- a public exponent v. 

said modulus, said exponent and said values being linked by relations of the 

type 

G ; . Qj v = 1 . mod n or Gj = Q/ mod n . 

said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gi being the square gi 2 of the base number g s smaller than the 
f prime factors p ls p 2 , ... p f , the base number gi being such that: 
the two equations: 

x 2 = & mod n and x 2 = - gj mod n 

cannot be resolved in x in the ring of integers modulo n 
and such that: 

the equation: 

x v = mod n 

can be resolved in x in the ring of the integers modulo n; 

said system comprises a witness device, contained especially in a nomad object 
which, for example, takes the form of a microprocessor-based bank card, 
the witness device comprises 

- a memory zone containing the f prime factors Pi and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q; and/or f.m components Q U1 (Q u = Q s mod pj) of the private values 
Qi and of the public exponent v ; 
said witness device also comprises: 
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- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of 
integers modulo n; each commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r < n, 

• or by performing operations of the type: 

Ri = rj v mod pi 

where r { is a random value associated with the prime number p t such that 0 < r s < p i5 
each r; belonging to a collection of random values {r t , r 2 , ... r f }, then by applying 
the Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers d; hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

• either by performing operations of the type: 

D = r . Qi dI . Q 2 d2 Q m dm mod n 

• or by performing operations of the type: 

Di ^ n . Q M dl . Q ia d2 . ... Q iim dm mod Pi 
and then by applying the Chinese remainder method. 

- transmission means to transmit one or more commitments R and one or 
more responses D; 

there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d, D forming a triplet referenced {R, d, D}. 
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7. A system according to claim 6, designed to prove the authenticity of an 
entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or part of each commitment 
R to the controller device through the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d equal in number to 
the number of commitments R, 

the controller device also has transmission means, hereinafter known as the 
transmission means of the controller, to transmit the challenges d to the demonstrator 
through the connection means ; 
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• Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G2, G m , compute a reconstructed commitment R\ from each 
challenge d and each response D, this reconstructed commitment R' satisfying a 
relationship of the type 

R' = Gi dl . g 2 d2 . ... G m dm # D v mod n 
or a relationship of the type 

R' = Dv/d dl . g 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed 
commitment R f with all or part of each commitment R received, 
case where the demonstrator has transmitted the totality of each commitment 
R 

if the transmission means of the demonstrator have transmitted the totality of each 
commitment R, the computation means and the comparison means of the controller 
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device, having m public values Gj, G2, G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gx dl . G 2 d2 . .» G m dm m D v mod n 
or a relationship of the type 

R = Dv/Gi d l . G 2 d2 . ... G m dm m mod n 
8. System according to claim 6, designed to give proof to an entity, known as 
a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 

said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking *he form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified in claim 1 
the witness device has transmission means, hereinafter called transmission means of 
the witness device, to transrr.il all or part of each commitment R to the demonstrator 
device through the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
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arguments are the message ivf and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for the production, after 
having received the token T, of the challenges d in a number equal to the number of 
commitments R, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

•Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 
the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m public values Gj, G2, G m , 
to firstly compute a reconstructed commitment R\ from each challenge d and each 
response D, this reconstructed commitment R* satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R f = D v /Gj dl . G 2 d2 . ... G m dm . mod n 
then, secondly, compute a token T f by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R', 
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the controller device also has comparison means, hereinafter known as the 
comparison means of the controller device, to compare the computed token T' with 
the received token T. 

9. System according to claim 6, designed to produce the digital signature of a 
message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d ano/or the commitments R, 

- the responses D; 
Signing operation 

said system being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking the form especially of logic microcircuits 
in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 
extract, from this binary train, challenges d whose number is equal to the number of 
commitments R, 

• Step 3: act of response D 
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the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device 
through the interconnection means. 

10. System according to claim 9, designed to prove the authenticity of the 
message M by checking the signed message by means of an entity called the 
controller; 

Checking operation 

the system being such that it comprises a controller device associated with the 
controller entity, said controller device especially taking the form of a terminal or 
remote server, said controlle: device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the signing device; 

the signing device associated with the signing entity comprises transmission means, 
hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means, in such a way that the controller device has a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

the controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device, 

• case where the controller device has commitments R, challenges d, responses D 
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if the controller has commitments R, challenges d, responses D, 

• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

5 R = d dl . G 2 d2 . ... G m dm . DV mod n 

or relationships of the type: 

R s D v /G! dl . G 2 62 . .» G m dm . mod n 

• • the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy the hashing 

10 function: 

d = h (message, R) 

* case where the controller device has challenges d and responses D 

if the controller device has challenges d and responses D, 

• • the computation means of the controller, on the basis of each challenge d 
15 and each response D, compute commitments R' satisfying relationships of the type 

R' = G X dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R' = DV/Gi dl . G 2 d2 . ». G m dm . mod n 

• • the computation and comparison means of the controller device ascertain 
20 that the message M and the challenges d satisfy the hashing function: 

d = h (message, R') 

• case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function 
25 and compute d' such that 

d' = h (message, R) 

• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d' and the responses D satisfy relationships 
of the type 

30 R = Gi d>1 . G 2 d ' 2 . ... G m d ' m . D v mod n 
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or relationships of the type: 

R s D v /Gi d '! . G 2 d ' 2 . ... G m d'm m mod n 

11. A terminal device associated with an entity, taking the form especially of 
a nomad object, for example the form of a microprocessor in a microprocessor-based 
5 bank card, designed to prove to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity; 

by means of all or part of the following parameters or derivatives of these 
parameters: 

10 - m pairs of private values Qi, Q 2 , ... Q m and public values Gi, G 2 , ... G m 

(m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p 1? p 2 , 
... p f (f being greater than or equal to 2), 

- a public exponent v. 

15 said modulus, said exponent and said values being related by relations of the type 

G t . Qi v -1 . mod n or Gi = Qi V mod n . 
said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1. 
20 said public value G ; being the square gj 2 of the base number gj smaller than the f 
prime factors p 1? p 2 , ... Pf, the base number gi being such that: 
the two equations: 

x 2 = gi mod n and x 2 = - g t mod n 
cannot be resolved in x in the ring of integers modulo n 
25 and such that 

the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n. 
said terminal device comprises a witness device comprising, 
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- a memory zone containing the f prime factors Pi and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q t and/or f.m components Q u j (Qjj = Qi mod pj) of the private values 
Qi and of the public exponent v. 

5 said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 

10 integers modulo n; each commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r < n, 
15 • or by performing operations of the type: 

R; = r s v mod Pi 

where r { is a random value associated with the prime number p ; such that 0 < rj < p is 
each n belonging to a collection of random values {r x , r 2 , ... r f } produced by the 
random value production means, then by applying the Chinese remainder method; 
20 the witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers d ; hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
25 responses D of the witness device, for the computation, on the basis of each 

challenge d, of a response D, 

• either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 

• or by performing operations of the type: 

30 Di s r 8 . Q M dl . Q u d2 . Qi, m dm mod Pi 
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and then by applying the Chinese remainder method, 

- transmission means to transmit one or more commitments R and one or 
more responses D ; 

there are as many responses D as there are challenges d as there are commitments R, 
5 each group of numbers R, d, D forming a triplet referenced {R, d, D}. 

12. A terminal device according to claim 11, designed to prove the 

authenticity of an entity called a demonstrator to an entity called a controller. 

said terminal device being such that it comprises a demonstrator device associated 

with the demonstrator entity, said demonstrator device being interconnected with the 
10 witness device by interconnection means and being capable especially of taking the 

form of logic microcircuits in a nomad object, for example the form of a 

microprocessor in a microprocessor-based bank card, 

said demonstrator device also comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
15 communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device enabling the execution of the following steps: 

• Step 1: act of commitment R 

20 at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has transmission means, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

25 the demonstrator device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or part of each commitment 
R to the controller device, through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 

the means of reception of the challenges d of the witness device receive each 
30 challenge d coming from the controller device through the connection means 
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between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device, 
the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
5 claim 1, 

• Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the 
controller that carries out the check. 

13. Terminal device according to claim 11, designed to give proof to an 
10 entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
witness device by interconnection means and being capable especially of taking the 
15 form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
20 entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device being used to execute the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
25 compute each commitment R by applying the process specified according to claim 1 ; 

the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 
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the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T, through the 
connection means, to the controller device, 

(said controller, after having received the token T, produces challenges d in a 
number equal to the number of commitments RJ 

the means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device, 
the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

• Step 4: act of checking 
the transmission means of the demonstrator send each response D to the controller 
device which performs the check. 

14. Terminal device according to claim 11, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity 
called a signing entity; 
the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 
~ the responses D; 

said terminal device being s\ :\\ that it comprises a signing device associated with the 
signing entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking especially the form of logic microcircuits 
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in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

Signing operation 

said terminal device being used to execute the following steps: 

• Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
signing device through the interconnection means, 

• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 
extract, from this binary trair, challenges d whose number is equal to the number of 
commitments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, 
through the interconnection means. 
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15. Controller device especially taking the form of a terminal or remote 
server associated with a controller entity, designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity 

5 by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of public values G x , G 2 , ... G m (m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p j9 p 2 , 
... p f (f being greater than or equal to 2), unknown to the controller device and to the 

10 associated controller entity, 

- a public exponent v; 

said modulus, said exponent and said values being related by relations of the type 

Gi . Q; v = 1 . mod n or Gi = Q s v mod n . 
where Q ; designates a private value, unknown to the controller device, associated 
15 with the public value Gj. 

said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square g 2 of a base number g s smaller than the f prime 
20 factors p l9 p 2 , ... Pf, the base number g; being such that 
the two equations: 

x 2 = gi mod n and x 2 = - gi mod n 

cannot be resolved in x in the ring of integers modulo n and such that: 
the equation: 

25 x v = gi 2 mod n 

can be resolved in x in the ring of the integers modulo n. 

16. Controller device according to claim 15, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller; 

said controller device comprising connection means for its electrical, 
30 electromagnetic, optical or acoustic connection, especially through a data-processing 
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communications network, to a demonstrator device associated with the demonstrator 
entity; 

sid controller device being used to execute the following steps: 

• Steps 1 and 2: act of commitment R, act of challenge d 

5 said controller device also has means for the reception of all or part of the 
commitments R coming from the demonstrator device through the connection means, 
the controller device has challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d in a number equal to 
the number of commitments R, each challenge d comprising m integers d[ 
10 hereinafter called elementary challenges. 

the controller device also has transmission means, hereinafter called transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

• Steps 3 and 4: act of response D, act of checking 
15 said controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

20 - comparison means, hereinafter called the comparison means of the 

controller device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the reception means of the demonstrator have received a part of each commitment 
R, the computation means of the controller device, having m public values Gj, G2, 
25 G m , compute a reconstructed commitment R', from each challenge d and each 

response D, this reconstructed commitment R f satisfying a relationship of the type 

R 1 = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = D v /Gi dl . G2 d2 . ... G m dm . mod n 
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the comparison means of the controller device compare each reconstructed 

commitment R f with all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment 

R 

if the transmission means of the demonstrator have received the totality of each 
commitment R, the computation means and the comparison means of the controller 
device, having m public values Gj, G 2 , ...» G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gi dl . G 2 d2 - ... G m dm # D v mod n 
or a relationship of the type 

R s= D v /Gi dl . G 2 d2 . ... G m dm . mod n 
17. Controller device according to claim 15, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator, 

said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity, 

said system enabling the execution of the following steps: 

• Steps 1 and 2: act of commitment R, act of challenge d 

said controller device also has means for the reception of tokens T coming from the 
demonstrator device through the connection means, 

the controller device has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of 
commitments R, each challenge d comprising m integers dj, herein after called 
elementary challenges, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

• Steps 3 and 4: act of response D, act of checking 
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the controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
5 controller device, having m public values Gj, G2, G m , to firstly compute a 

reconstructed commitment R f , from each challenge d and each response D, this 
reconstructed commitment R f satisfying a relationship of the type 
R' - Gi dl . G 2 d2 . ... G m dm % D v mod n 
or a relationship of the type 
10 R' s D v /Gj dl . G 2 d2 . ... G m dm . mod n 

then, secondly, compute a token T* by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 
the controller device also comprises: 

- comparison means, hereinafter called the comparison means of the 
15 controller device, to compare the computed token T with the received token T. 

18. Controller device according to claim 15, designed to prove the 
authenticity of the message M by checking a signed message by means of an entity 
called a controller; 

the signed message, sent by a signing device associated with a signing entity having 
20 a hashing function h (message, R), comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Checking operation 

25 said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a signing device associated with the signing entity, 
said controller device having received the signed message from the signed device, 
through the connection means, 

30 the controller device comprises: 
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- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device; 

• case where the controller device has commitments R, challenges d, responses D 

if the controller has commitments R, challenges d, responses D, 

• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

R = Gl dl . G 2 d2 . »• G m dm - ° v mod n 

or relationships of the type: 

R = D v /Gi dl . G 2 d2 - ». G m dm . mod n 

• • the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy the hashing 
function 

d = h (message, R) 

• case where the controller device has challenges d and responses D 

if the controller device has challenges d and responses D, 

• • the computation means of the controller, on the basis of each challenge d 
and each response D, compute commitments R' satisfying relationships of the type 

R> = Gi dl . G 2 d2 - «. G m dm - D v mod n 
or relationships of the type: 

R' = D v /Gi dl . G 2 d2 . - G m dm . mod n 

• • the computation and comparison means of the controller device ascertain 
that the message M and the challenges d satisfy the hashing function: 

d = h (message, R') 

• case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function 
and compute d' such that 
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d f = h (message, R) 
• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d' and the responses D satisfy relationships 
of the type 

R = G X d f 1 . G 2 d ' 2 . ... G m d f m . D v mod n 

or relationships of the type: 

R = Dv/Gi d f 1 . G 2 a?2 . .. G m d ' m . mod n 
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mav jeopardize the validity of the application or any patent issued thereon. 




Name | ^—^^J 



Full Name 
Of Inventor 



Family 

Guillou 



First Given Name 

Louis 



Second Given Name^ 



Residence 
& Citizenship 



City 

Ronroh^ rre 



State or Foreign Country 

France 



Country of Citizenship 

France 



Mailing 
Address 



Address 

16, rue de I'Ise 



City 

Bourgbarre 



State & Zip Code/Country 

35230 /France 



Signature of Inventor 201: 



Date 



Full Name 
Of Inventor 



Family Name 

Quisquater 




First Given Name 

Jean-Jacques 



Second Given Name 



Residence 
& Citizenship 



City 

Rhode Saint Genese 



State or Foreign Country 
Belgium 



Country of Citizenship 

Belgium 



Mailing 
Address 



Address 

3, avenue des Canards 



City 

Rhode Saint Genese 



State & Zip Code/Country 
1 640 / Belgium 



Signature of Inventor 202: 



Date: 



4 



